At this point the “hack” doesn’t look like a hack as we usually think about it. The responsible parties didn’t try to damage anything, at least based on the incomplete knowledge we currently have. It looks more like espionage, with the attackers seeking to gather information.
We’re referring, of course, to a series of security breaches at US government agencies and tech companies that were discovered last month. The blurred distinction between “hacking” and “espionage” is only the first of numerous misconceptions about the cyber intrusion.
Agencies whose virtual defense networks were breached include the Department of Homeland Security, the Department of Defense, the Cybersecurity and Infrastructure Agency, Department of State, the National Nuclear Security Administration (which, among other responsibilities, safeguards the US nuclear weapons stockpile), the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), and the Department of the Treasury. Private companies whose networks were penetrated include Microsoft and cybersecurity firm FireEye.
The attackers used software developed by a third party to embed malware inside supposedly secure networks. The third party was a company called SolarWinds, which has more than 300,000 customers worldwide. One SolarWind product is a network management suite called Orion. The intruders penetrated SolarWinds cyber-defenses and installed a “backdoor” – an intrusion point that allows surreptitious access – into an Orion software update. Any SolarWinds customer that installed the contaminated update gave the attackers access to their networks.
Security researchers have long been concerned about this type of intrusion, referred to as a “supply chain attack.” The intrusion didn’t target the affected networks directly, but rather a third-party company – SolarWinds – that provided network management services.
The only way to prevent supply chain attacks is to either stop using third parties to help manage your network – or make sure those third parties have adequate security measures in place. That didn’t happen here, in part because the password protecting SolarWinds update server – the network responsible for distributing software updates – was the hard-to-guess phrase “solarwinds123.”
Without doubt, this is a catastrophic intrusion. SolarWinds claims that “fewer than 18,000” of its customers installed the corrupted update, but that still amounts to a lot of vulnerable networks. There’s also the uncomfortable fact that since security researchers now understand how the infiltration was carried out, intelligence agencies and cyber-crooks will begin using similar tools. It’s virtually certain the National Security Agency (NSA) is intensely interested in this and other supply chain attacks.
When news of the attack emerged, the US intelligence community promptly blamed Russia for it. On December 18, Secretary of State Mike Pompeo said in a radio interview, “We can say pretty clearly that it was the Russians that engaged in this activity.” This conclusion appears to have been based on the sophistication of the intrusion along with other clues that remain classified.
President Trump poured scorn on this theory in a series of tweets which mentioned China as a possible perpetrator. From our vantage point, a Chinese origin is certainly plausible. Chinese hackers were blamed for an extraordinary security breach discovered in 2015 in which the personnel files of more than 18 million current and former federal employees were stolen. There’s even been speculation that the NSA was responsible for the intrusion.
It’s possible that classified information not publicly released points a smoking gun at Moscow. But even if Russia is responsible, the reaction of our politicians to the intrusion has been more than a little over the top. Rep. Jason Crow (D-CO) called the attack “our modern day, cyber equivalent of Pearl Harbor.” Senate minority whip Dick Durbin (D-IL), accused Russia of a virtual declaration of war.
But if the government’s response to the personnel file theft six years ago is any guide, not much will happen. The Obama administration debated imposing sanctions against China after the intrusion, but never did so. China eventually arrested those who were supposedly responsible for the attack after President Obama and Chinese President Xi Jinping signed an agreement aimed at fighting cybercrime.
No matter who is responsible for the current attack, getting the penetrated networks back to normal will be an ongoing challenge. Essentially, the affected networks will need to be rebuilt from the ground up. The Cybersecurity and Infrastructure Security Agency (CISA) has published an emergency directive for federal agencies to follow.
Meanwhile, security officials in the United States and other countries continue to demand that tech companies insert backdoors into their encryption products that the government can unlock with an appropriate key. That’s a horrible idea, because strong encryption is really the only certain way to protect sensitive databases from this type of encroachment. And of course, there’s a very real prospect that hackers might discover the backdoor. That’s happened on numerous occasions in the past. What’s more, the intrusion once again proves Uncle Sam is simply incapable of keeping secrets – even about its nuclear arsenal.
When it comes to cybersecurity, trusting the government to look out for your interests is like trusting a wolf to guard the henhouse. The only person you can trust to secure your internet-connected devices (and the information on them) is you.
How can you protect yourself? First, subscribe to a robust virtual private network (VPN) to encrypt the data stream on your smartphone and your PCs. Here at The Nestmann Group, we use one called ExpressVPN.
Second, use an email program that facilitates encrypted message transmission. The one we use is Thunderbird, along with a free plug-in called Enigmail. Once you exchange encryption keys with the people you correspond with, Enigmail automatically encrypts and decrypts your messages.
Third, if you use webmail services, ditch US providers such as Gmail and the online version of Microsoft Outlook (formerly Hotmail). Use a non-US service that is serious about security and encryption. A good one is Swiss-based ProtonMail, but there are many other choices.
A good time to begin securing your electronic life would be today. The US government certainly isn’t going to do it for you.