Reflections on the SolarWinds Breach
The timeline of the breach is still unfolding, but it is not too early to offer a number of high-level observations and predictions.
Published by The Lawfare Institute
in Cooperation With
Since Dec. 13, the SolarWinds breach has dominated the news cycle. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate the consequences of the security breach. SolarWinds, the company responsible for the software in question, reported that as many as 18,000 customers may have been affected. Other reports indicate that a variety of government agencies—including the departments of Treasury, State, Commerce, Energy (specifically, the National Nuclear Security Administration, which is responsible for the U.S. nuclear weapons stockpile), and Homeland Security—have been affected as well. The Washington Post reports that the Russians are behind the hack and that they have had a foothold in the affected networks since March 2020.
The timeline of this incident is still unfolding, and more information is available every day about its particulars, but it is not too early to offer a number of high-level observations and predictions:
- The scale and significance of this incident will grow as more details of the breach are revealed. There is little chance that all of the damage that has occurred has been revealed to the attack’s victims. Further, it is entirely possible that undetected portions of the attack are still in operation, continuing to gather information that will be transmitted back to the adversary or to plant “logic bombs” that will be “detonated” at a future date. (A “logic bomb” is code inserted into a program that does harm to the computer system on which it is being executed when certain conditions are met, such as the date being Jan. 4, 2021, or processing a transaction valued at a specific amount like $612,292.21.) While there is no evidence at the present moment that this is the case, nothing has appeared in the public record that would rule it out.
- Those responsible have had many months to burrow into their targets’ information technology (IT) infrastructures. Completely eliminating the attackers’ access to the network will be really hard if not impossible. A useful analogy might be therapy for cancer—unless you can kill essentially every cancerous cell in someone’s body in an initial round of therapy, cancer may well return while the patient is in remission. And killing every single cancerous cell in someone’s body is mighty hard to do. Rebuilding entire IT systems from scratch may be the only thing that affected networks can do to ensure the attackers no longer have a foothold.
- Victims attempting to rebuild their systems from scratch will face agonizing choices between security and some significant loss of work that was done between March 2020 and now (not to mention the loss of productivity entailed in rebuilding systems rather than doing useful new work). For example, one might consider restoring databases from backup media—assuming backups are still available from March, which is certainly not guaranteed. But records in many of those databases will probably have been changed, sometimes significantly, since March. Using backups from March will mean losing all of the work done on those databases in the past nine months. Using more recent backups could reduce the amount of work lost, but the more recent the backup, the greater the likelihood that the backup itself contains potentially contaminated data.
- It is impossible for any vendor of computer products or services to develop what it needs all by itself. Even the most sophisticated vendor of IT products and services obtains components such as a power supply or a program library from other parties to integrate into its offerings for customers. The SolarWinds breach has been described as a “supply chain attack,” which is true. But supply chain vulnerabilities have been a concern for cybersecurity specialists for a number of decades, and few with decision-making authority have listened—it should not have taken the SolarWinds incident for such individuals to focus seriously on supply chain security issues.
- The majority of cybersecurity breaches reported to date have compromised the confidentiality of data—hackers get their hands on data they have no right to access. But there are other threats to data. Compromises to data integrity are of deep concern—instances when hackers alter or erase data. Compromises of integrity can be even more dangerous than compromises of confidentiality. When electronic medical records are involved, most people would feel far worse about a cyber intrusion that removed an indication of an allergy to a certain medication from a medical record than one that merely revealed that allergy, even if those records are supposed to be kept confidential.
- Data is not the only component at risk in cybersecurity breaches—cyber-physical devices and computer-based control systems can also be affected. Even smartphones and personal computers have the ability to control physical devices, such as printers and devices like Amazon’s Alexa. One report indicates that the compromised SolarWinds Orion software is sometimes used to manage networks that support devices for environmental controls and power in buildings. But nearly any physical real-world functionality can be tied to a network and controlled by computer, and it is quite unlikely that anyone knows the full range and extent of cyber-physical capabilities that the attackers could now control. This lack of knowledge may also be true even in individual organizations where building engineers and individual offices often make decisions, without reporting to higher management, to put control of physical systems on networks.
- In recovering from a cybersecurity breach, psychology also plays an important role. If your system has been compromised to an unknown extent, and your IT employees tell you that it now works properly, could you trust their judgment following a large breach? For example, if you have a calculator in your office that gives an error in about 10 percent of its calculations—would you trust it to complete your tax return? It mostly works—but you would probably not base your 1040 on it. Similarly—would you trust the data in your company’s databases following a breach? What would reassure you that essential data has not been compromised and is still valid as read from the database? At the same time, you may have no choice about it—you may have to proceed, despite your doubts.
- What is the most important security lesson to come from a breach of this size? Cybersecurity requires resilience as well as strong defenses. Unfortunately, the United States’s public and private sectors have simply not yet internalized this fact. The idea that it is possible to erect cybersecurity defenses that will keep the bad guys out of systems and networks forever is absurd on the face of it, and no serious cybersecurity professional believes that is possible. Those using information technology must assume their systems and networks have already been compromised, and take the proper precautions as if they are operating on compromised systems and networks. This will be inconvenient, reduce productivity and seem unnecessary, but it is the only way to limit the effects of a security compromise.
- The only way to limit cybersecurity risk in the long term is to moderate user demand for more functionality. Today, users want computer systems to be faster, easier to use and more interoperable; to control more things; and to provide new capabilities. Meeting all of these demands requires increasing complexity in computer systems. But cybersecurity experts know that more complexity in a system inevitably leads to less security—there are simply more ways to gain unauthorized access and more vulnerabilities to be exploited. In effect, consumers’ unmoderated appetites for functionality lead to more insecure systems. Unfortunately, IT vendors have strong incentives to sell systems and services that offer more for their customers, and moderating user appetites is inconsistent with their business models.
How will the U.S. government respond to the SolarWinds hack? Predictably, many politicians are already describing this breach as an act of war against the United States. Sen. Richard Durbin described the SolarWinds incident as a “virtual invasion.” Sen. Mitt Romney said, “[A] cyberhack of this nature is really the modern equivalent of almost Russian bombers reportedly flying undetected over the entire country.” Sen. Chris Coons said that “it’s pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war.”
But the public has heard similar rhetoric before. For example, in the aftermath of the Office of Personnel Management (OPM) hack revealed in 2015, Rep. Carolyn Maloney asserted that she “consider[s] [the OPM hack] … a far more serious one to the national security” of the United States than the 9/11 attacks. In the aftermath of the Russian intervention in the 2016 U.S. elections, former Vice President Dick Cheney said that “there was a very serious effort made by Mr. Putin and his government, his organization, to interfere in major ways with our basic, fundamental democratic processes. In some quarters that would be considered an act of war.”
Neither breaking into and spying on computer systems even on a massive scale nor even conducting cyber-enabled propaganda and influence activities rise to the level of “armed attack” that would justify uses of military force in self-defense. The incoming Biden administration has pledged to make cybersecurity “a top priority at every level of government” and to “disrupt and deter our adversaries from undertaking significant cyber attacks in the first place ... by, among other things, imposing substantial costs on those responsible for such malicious attacks.”
But how will the new administration’s strategy differ from current U.S. policy? Unless the incoming administration is prepared to ignore the restraints posed by international law under such circumstances, those hoping for a satisfying escalatory kinetic response are going to be disappointed.
What about imposing costs in cyberspace? U.S. leaders, in response to such incidents, typically miss the fact that the U.S. is already imposing costs in cyberspace on its adversaries. Those costs, from the adversary’s perspective, are considerable. The U.S. has conducted and continues to conduct a host of activities in cyberspace against other nations that, were they done to the U.S., would prompt outrage and anger.
Although many of those activities are not known to the public, press reports shed light on some that have occurred in the past. For example, the Washington Post reported in February 2020 that a company named Crypto AG was trusted for more than 50 years to protect the communications of various governments all over the world. But unbeknownst to its customers, Crypto AG was owned by the CIA in a partnership with the German Federal Intelligence Service (BND). Ownership enabled the U.S. to make technical modifications to the products supplied to Crypto AG’s customers that allowed circumvention of the mechanisms protecting the communications of those customers—most people would call such modifications a supply chain attack. The program was discontinued in 2018. In a related story, the Post also reported that, using these capabilities, the CIA learned of major human rights abuses in South America. It’s not hard to imagine the uproar if it were revealed that a large fraction of the United States’s diplomatic, military and intelligence communications had been compromised for multiple decades.
U.S. Cyber Command has also publicly adopted a cyber strategy that calls for “defending forward” and “persistent engagement” with adversaries, stating that “continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks.” As the publicly released cyber strategy demonstrates, the U.S. has been abundantly clear about its intentions to conduct nonbenign cyber activities against adversaries. From its own perspective, the U.S. would be conducting such activities for defensive purposes—but will anyone else believe that? How would the target of such activities distinguish between a nonbenign U.S. cyber activity conducted for defensive or for offensive purposes?
Because most U.S. offensive cyber activities are classified, and those targeted don’t publicly comment on their impact (perhaps because they are unaware of them due to good U.S. tradecraft or because they are aware but have chosen not to publicly reveal them), it is easy for the U.S. to portray the current situation as one in which it is always and exclusively on the receiving end of offensive cyber actions. Given the United States’s past actions and its publicly documented intentions in cyberspace, the U.S. could risk severe escalation if it goes much further in response to the SolarWinds breach.
The U.S. will probably impose additional diplomatic and economic sanctions on whomever is deemed responsible for the SolarWinds incident. Sound familiar? Anyone dissatisfied with this outcome should be required to make a serious proposal for a different response and consider both the adversary’s potential reaction and if the U.S. would be willing to tolerate that reaction.
How bad is the SolarWinds incident? It’s very bad. This incident may well be “the worst cyberattack to date,” but a decade from now, will it be the worst cyber incident that the U.S. has ever experienced? Given that escalating beyond past responses would likely be more provocative than anyone wants, don’t plan on it.