The entire world changed in the few short hours between when John F. Kennedy went to bed on October 15, 1962, and when he woke up the following morning. Because while the president slept, the CIA identified the ongoing construction of medium – and – long range Soviet ballistic nuclear missile sites on the island of Cuba just 90 miles from American shores.
Each of these missiles was capable of striking Washington, DC, the Panama Canal, Mexico City, Cape Canaveral, or any other city in the southeastern part of the United States, in Central America, or in the Caribbean.
As Kennedy received his first briefing on what we now know as the Cuban Missile Crisis – or simply as the “Thirteen Days” – the president could consider only the appalling stakes.
Suddenly, the crisis was over as quickly as it began. The Russians, realizing that their position was untenable and that their test of US resolve had failed, made signs that they would negotiate – that they could remove the missiles. Kennedy pledged that the United States would not invade Cuba, giving the Russians and their allies a win. The crisis was over.
In 2020, at the worst possible time, when the United States is at its most vulnerable – during a presidential transition and a devastating public health crisis – the networks of the federal government and part of corporate America are compromised by a foreign nation. We need first to clearly understand the scale and significance of what is happening.
In December, the cybersecurity firm FireEye said it had been hacked and that its clients, which include the United States government, had been placed at risk. They learned that SolarWinds, a publicly traded company that provides software to tens of thousands of government and corporate customers, was also hacked. The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden backdoor that gave hackers access to the victim’s network.
This is what is called a supply – chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply – chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation – state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.W.R., whose tradecraft is among the most advanced in the world.
Russian President Vladimir Putin last December hailed the country’s “courageous” spies as he visited the headquarters of the Foreign Intelligence Service to mark its 100th birthday. Putin, who has spent most of the coronavirus epidemic at his residences outside the Russian capital and on the Black Sea, visited also the S.W.R. headquarters in southern Moscow amid the controversy surrounding the work of the country’s security services.
Speaking outside the S.W.R. headquarters, Putin, himself a former KGB officer, thanked all those who protect Russia from “external and internal threats” and called them “reliable and courageous people”.
According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted software update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.
The magnitude of this ongoing attack is hard to overstate.
The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.W.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access”, meaning the ability to infiltrate and control networks in a way that is hard to detect or overcome to remove.
While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will most probably take years to know for certain which networks the Russians control and which ones they just occupy.
The logic conclusion is that the US must act as if the Russian government has control
of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying.
The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation – both hallmarks of Russian behavior.
Now the question for the US remains, what should be done?
On December 13 last year, the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security – itself a victim – issued an emergency directive ordering federal civilian agencies to remove SolarWinds software from their networks. The removal obviously is aimed at stopping the bleeding. Unfortunately, the move is sadly insufficient and woefully far too late. The damage is already done and the computer networks are already compromised. It also is impractical.
In 2017, the federal government was ordered to remove from its networks software from a Russian company, Kaspersky Lab, that was deemed too risky. It took over one year to get it off the networks. Even if the US doubles that pace with SolarWinds software, and even if it wasn’t already too late, the situation would remain dire for a long time.
The remediation effort alone will be staggering. It will require the segregated replacement of entire enclaves of computers, network hardware and servers across vast federal and corporate networks. Somehow, the US nation’s sensitive networks have to remain operational despite unknown levels of Russian access and control. A “do over” is mandatory and entire new networks need to be built – and isolated from compromised networks.
Cyber threat hunters that are stealthier than the Russians must be unleashed on these networks to look for the hidden, persistent access controls. These kind of information security professionals actively search for, isolate and remove advanced, malicious code that evades automated safeguards. This will be difficult work as the Russians will be watching every move on the inside.
The National Defense Authorization Act, which each year provides the Defense Department and other agencies the authority to perform its work, is caught up in partisan wrangling. Among other important provisions, the act would authorize the US Department of Homeland Security to perform network hunting in federal networks. If it wasn’t already, it is now a must-sign piece of legislation, and it will not be the last congressional action needed before this is resolved.
Network operators also must take immediate steps to more carefully inspect their internet traffic to detect and neutralize unexplained anomalies and obvious remote commands from hackers before the traffic enters or leaves their network.
The overall response must be broader than patching networks. While all indicators point to the Russian government, the United States, and ideally its allies, must publicly and formally attribute responsibility for these hacks. If it is Russia, President Biden must make it clear to Vladimir Putin that these actions are unacceptable. The US military and intelligence community must be placed on increased alert; all elements of national power must be placed on the table.
While the US must reserve there right to unilateral self-defense, allies must be rallied to the cause. The importance of coalitions will be especially important to punishing Russia and navigating this crisis without uncontrolled escalation.
President Joe Biden must carefully begin his planning to take charge of this crisis. He has to assume that communications about this matter are being read by Russia, and assume that any government data or email could be falsified.
This moment requires unity, purpose and discipline. An intrusion so brazen and of this size and scope cannot be tolerated by any sovereign nation.
Leadership in this case is essential!
