15 March 2021

A ‘Crazy Huge’ Hack

BY JONATHAN TEPPERMAN

Last week, the U.S. government announced that hackers had broken into Microsoft’s Exchange email service in January, targeting thousands of government agencies and businesses across the country. Since then, alarm has only grown as the true scale and scope of the attack has come into focus.

The number of suspected targets now dwarfs even those victimized during last year’s massive SolarWinds attack, the breach of security software used by scores of government agencies. While the perpetrators of SolarWinds are thought to be Russian, this time China has emerged as the prime suspect. But just what were the attackers after, and what can be done to stop the next hack before it occurs?

To get answers to these and other questions, FP’s editor at large Jonathan Tepperman spoke on Tuesday with Chris Krebs, who led the U.S. Cybersecurity and Infrastructure Security Agency from 2018 to November 2020 (when he was fired by then-President Donald Trump for disputing Trump’s claims of election fraud). Their conversation has been edited for length and clarity.

Jonathan Tepperman: Last Friday, you wrote on Twitter that the Microsoft Exchange attack was “a crazy huge hack” and said that “the sheer scale and speed” were terrifying. What have we learned since then, and what do we know about what’s going on?

Chris Krebs: From what I’ve seen, it’s not just one actor. It is not just the Hafnium actor that Microsoft identified. [Hafnium is the name of a Chinese hacking group that is thought to be state-sponsored.] The Microsoft Exchange hack used a trivial vulnerability to exploit, and a number of interested players have gotten into the game. It looks like it’s gone beyond China, to possibly include cybercriminals, possibly operating out of Russia. They’ve seen different clusters of activity with various actors using different techniques, tactics, and procedures. As I’ve said before, as long as there’s a vulnerability, a tool, something of interest, and no real meaningful deterrent measures or consequences, then you’re going to continue to see this sort of behavior.

JT: Do we know what the hackers were going for? Were they trying to steal data, or something else?

CK: I don’t have that information. So far, it looks like it was just another smash and grab of email inboxes.

JT: And now that Microsoft has released a patch, is the hack continuing, or is it all over?

CK: The challenge here is that the organizations that tend to depend on this kind of software and on-premises servers tend to not have massive resources. They don’t have fully staffed IT support teams. They may outsource IT to a third party.

JT: What kind of institutions are you talking about here?

It doesn’t matter if Russia actually sways the vote. What matters is whether Americans think it did.

CK: Smaller or small- and medium-sized businesses. These are not Fortune 500 organizations. They’re typically not federal government agencies. It’s going to be a lot of small businesses, a lot of local government agencies, maybe even small credit unions, things like that. And the challenge is that they don’t have dedicated IT resources. So if they got the patch in place on Tuesday or even early Wednesday, they hopefully were protected, but they should not just move on. They should look for some of the indicators of compromise that Microsoft has released. You can close the door, but if the bad guy already got into the house, you need to look around for evidence that they’re still around.

JT: What are the real-world consequences of a hack like this?

CK: I think that story has yet to be told, frankly. If a number of organizations were compromised by cybercriminals that are looking around their networks to see what’s there, the potential ransomware attacks are still a couple of days to a couple of weeks out. That’s when you’re going to know the real consequences. And this hack was classic fodder for a ransomware attack. The attackers got access. They could move around [inside the compromised servers]. They’ll lock them up, and then they’ll demand payment.

JT: Are there potential national security implications?

CK: This is where we get into a different discussion. Classic national security implications in the cyberworld tend to focus on federal agencies, the defense-industrial base, and the really significant banks. And that’s where U.S. national security resources, the intelligence community, the Department of Defense, and law enforcement have been focused over the last several years.

But I have a different theory for what constitutes a national security implication. If you have thousands, if not tens of thousands, of local government agencies affected by ransomware, where citizen services are disrupted and citizens in their local communities lose faith in the ability of their governments to deliver the support they need, that in and of itself is a national security issue. That is the death by a thousand cuts.

JT: Explain the significance of the fact that this was a virtual private server attack, as opposed to one that came directly from outside the country.

CK: Over the last several years, our adversaries have come to understand how our system of laws work, how Fourth Amendment protections apply to the American people, and that the federal government is not scanning and surveilling domestic communications traffic. And so our adversaries have figured out how to tunnel into domestic communications infrastructure and set up shop. They know that as long as they can get into domestic systems undetected, then they can operate with a degree of impunity. So they come in and use a lot of the same systems that we use: cloud systems, cloud infrastructure. They use short-term leases of virtual machines or virtual private servers. And yes, the law enforcement community with the appropriate tip can go look for this activity. But that can take a long time.

JT: Were we slower to catch on as a result?

CK: I don’t know. I think subsequent investigation will reveal the answer. But the Chinese have done this before. And the Russians have done it. So this is part of what the national security apparatus needs to be thinking about, in terms of taking this option away from our adversaries.

JT: You mentioned deterrence before, so let’s get back to that now. The New York Times reported on Monday that the Biden administration is about to roll out its response to Russia for the SolarWinds hack. Do you have a sense of what that’s going to look like?

CK: A couple of weeks ago, Anne Neuberger [the new deputy national security advisor for cyber and emerging technology] held a briefing and laid out three key work streams. First was the investigation into what happened with the SolarWinds breach. The second was what the government is doing to build back better, to make a more secure federal cybersecurity environment. There’s also been talk of an executive order in the coming weeks that will further secure civilian networks. And the third is what the response is going to be to the likely Russian actors.

One very clear message to the Kremlin has to be that [SolarWinds] went beyond traditional espionage. This was targeting and undermining trust in the internet itself, how we use and take in software updates, and this should be off limits. I think as a part of that, you may see the U.S. government reengage in conversations about setting cybernorms, which have dropped off in the last several years.

JT: You raise an interesting point that gets to a broader question: Does the United States even have an explicit and comprehensive deterrence policy on cyber right now? Or does one need to be articulated? My sense is that there’s a gentleman’s agreement in operation, under which certain kinds of attacks—conventional espionage—are tolerated, while attacks that involve infrastructure or, as you said, undermine trust in institutions are considered beyond the pale. And there’s a sort of mutual assured destruction paradigm in effect, which is what keeps the Russians and the Chinese from launching attacks that would shut down power stations or unleash the kinetic effects that everyone is so frightened about. Is that an accurate characterization? And what are the big gaps in U.S. deterrence policy that need to be addressed?

CK: There certainly are norms in place that the Chinese have agreed to—initially through the [Barack] Obama-Xi [Jinping] accords, and then subsequently through work at the United Nations. And one of the core tenets or norms is that you do not attack computer emergency response teams, or critical infrastructure, or public infrastructure—certainly in times of peace. As I understand it, the United States plays by those rules. But some of our adversaries don’t. You’ve seen the Russians target Ukraine’s power infrastructure in years past. So I think that we need to reinvigorate those conversations.

When it comes to espionage, it depends on what you’re doing. If you’re doing it for commercial gain, that was declared off-limits in the U.S.-China accords from 2014 or 2015. But it remains to be seen what’s happened with this [Microsoft] Exchange vulnerability. I don’t see a lot of espionage benefit of going after local governments, credit unions, and things of that nature in an indiscriminate manner.

JT: The Biden administration is reportedly considering a quiet response to Russia. National Security Advisor Jake Sullivan said recently that he wants to establish a set of understandings with the Russians that “may not be visible to the broader world.” Why the secrecy? Don’t deterrents generally work best if you make them very public? It’s like that classic line from Dr. Strangelove: “The whole point of a doomsday machine is lost if you keep it a secret.”

CK: It depends on the measure, right? There will be a suite of options, some public and overt, others covert. If the White House picks up a phone and calls the Kremlin and says, “Knock it off,” you’re not going to get that into in the Twittersphere. If there are cyberoperations, those would probably be nonpublic as well. But there may be other measures, like declaring spies persona non grata and kicking them out of the country, that could be public. It’s going to be a mixture. And the Russians for their part would be hesitant to make it known if they had any sort of brushback pitch from the United States.

JT: A lot of experts argue that deterrence doesn’t really work in cyber anymore, that it’s an outdated concept that comes from the nuclear arena, and that we shouldn’t even focus on it. They argue that we should concentrate on resilience instead. What do you think?

CK: I think that deterrence has worked to date. I think that’s why you haven’t seen the cyber-Pearl Harbor, or cyber-9/11, that we’ve been warned about now for 20-odd years.

JT: This is an argument that always puzzles me. We’ve already seen massive and escalating attacks year after year. So what would qualify as a digital Pearl Harbor?

CK: Let me push back on that that. Are we seeing massive escalating attacks? 2017 was a massive year for cyber-events. WannaCry, NotPetya, BadRabbit. And at the same time, we had Russian targeting of the energy sector. We were so busy here, from a response perspective, and that came on the heels of the 2016 election hacking, and the 2016 Russian action in Ukraine. So I think it’s arguable that it’s not a massive escalation. It’s just that we’ve become desensitized over time to the attacks that just keep hitting us.

JT: So what would a cyber-Pearl Harbor look like then? What is the feared event that hasn’t happened?

CK: Kinetic effects from a cyberattack that caused lasting functional disruptions to the economy or a destabilizing effect on society.

JT: Deterrence may have prevented a Pearl Harbor-style attack, but it doesn’t seem to work in other cases.

CK: I think the fact that we’re still seeing escalating attacks is a sign that we haven’t hit the Russians, in particular, in the right spot to dial them back. Last year was the year of really scary virtual private network vulnerabilities, and some of them are really hard to patch, and the Russians figured this out. So we have to sit back and think, “Okay, well, what more can we do to the Russians?” Do you sanction them more? Well, is there anybody left to sanction? I think the answer is probably yes. I think we can do a better job coordinating with our international partners to hit them where they really care. For a lot of the oligarchs, and Russian President Vladimir Putin’s inner circle, that means in their pocketbooks.

So I think there are some dials we could turn. The other thing that I’m particularly concerned about is the massive escalation in ransomware and cybercrime.

JT: What do you think we’re likely to see in the months ahead? Are we going to see even more cyberattacks and a cycle of escalation? Or do you think that there’s a good chance that if the Biden administration gets it right—and I’m curious how optimistic or pessimistic you are about that—that there could be a quieting down, whether it’s the result of a sort of nuclear peace ensured by mutually assured destruction, or just the result of an effective deterrence policy?

CK: Let’s just set the stage here. I don’t think that you’re going to see a quieting down of bad guys attempting to do bad things. As long as vulnerable systems exist, they will always continue pushing to get into systems. I think over the last couple of years, particularly in the federal government, the security posture has improved. That goes back to the Obama administration with the National Cyber Action Plan. You saw a really intense focus on improving security.

I think that what you’re going to see the United States do over the next couple of years—and you’re already seeing it in the COVID relief act, the CARES Act, which includes about $1 billion for IT modernization and about $650 million for my old shop for increased threat-hunting—you’re going to see cybersecurity investments increase. Is it going to be at the expense of cyber-offense? I doubt it. It doesn’t need to come at the expense of offense, but we’ve got to up-level our defense.

The second piece here is that we have to modernize our systems. We have to make them easier to defend. If you think back a couple of years ago, the federal civilian IT budget was about $80 billion, and $60 billion of that was dedicated to legacy operations and the maintenance of legacy systems. To me, that’s crazy. Yes, it’s going to take an initial bump in IT spending to retire old systems and get to the cloud, but the long-term efficiencies, the reduced costs, the citizen service improvements, all this stuff will make that investment so worth it.

No comments: