Déjà Vu: Hacked Again
This is getting old. Yet again, Russian-backed agents have hacked the United States.
The United States can only sanction and indict so many people before discovering that this alone will neither prevent nor deter future cyberattacks. The United States must have a unified plan to confront cyberaggression through defensive and offensive action in the cyber realm. This position may mean protecting fragile democratic allies and conducting coordinated cyber strikes against malignant state and non-state actors.
While the latest cyberattack is still under investigation, authorities suspect that a Russian-backed group known as Cozy Bear hacked a management company called SolarWinds via its Orion tool, which is used to monitor outages. Then, between March and June 2020, this group inserted malware into its updates, impacting countless federal and private systems.
It was only when cybersecurity firm FireEye discovered the breach that the hack was revealed. FireEye noted that this attack was conducted by “a nation with top-tier offensive capabilities.” Indeed, Russia has previously used malware to steal critical information, but this attack was much different, focusing on “supply-side” vulnerabilities, including SolarWinds’ monitoring products. In 2018, the Government Accountability Office outlined the cybersecurity challenges related to supply-side risks (though they admitted that an attack of this magnitude was left out).
This “sophisticated” attack reportedly used IP addresses located in the United States, all while evading the Cybersecurity and Infrastructure Security Agency’s costly and sophisticated intrusion detection system called Einstein. The malware sat dormant until activated, sending sensitive information to the hackers.
This cyberattack is concerning due to Russia’s interference in the 2016 U.S. election through a coordinated information operations campaign that included a sophisticated social media strategy, hacking, and the release of compromising information via Wikileaks. Russian-backed agents also allegedly attempted to hack voting systems in nearly all 50 states. These agents could delete or change voter data. Russia also used a quasi-private company known as the Internet Research Agency to create a “troll farm” to influence social media.
According to a congressional report, the 2016 meddling intended to “sow discord in American politics and society.” The response to the Russian interference was lukewarm. The United States indicted 12 Russians for operating a military agency called the Main Intelligence Directorate of the General Staff, and the U.S. Treasury Department sanctioned some Russian entities and individuals. Clearly, these penalties didn’t go far enough because here we are again.
The United States isn’t Russia’s only target. The Russian-backed group Fancy Bear (the same group involved in 2016’s Russian meddling) hacked Montenegro’s government apparatus, hoping to influence the country’s impending NATO membership. In 2007, Estonia—which introduced online voting in 2001 and was considered one of the most technologically advanced nations globally—was also a victim of a Russian information operations campaign involving hacking and disinformation. Russia also conducted coordinated information operation campaigns involving social media and hacking in countries like Ukraine.
Nation-states such as China, Iran, North Korea, and Russia are operating with impunity in the cyber domain. Each of these respective countries has carried out cyberattacks on the United States, its allies, or private-sector entities. It is almost like the Wild West in the cyber realm, and these world powers have proven time and time again that no matter how much in good faith the United States acts, they will cooperate only in words alone.
There are some realistic options on the table to prevent and deter further cyberaggression. In 2011, President Obama defined attacks in the cyber realm as potential acts of war. With this in mind, the United States can respond with conventional means but is highly unlikely to react in such a manner. On the other hand, the United States has other tools in its arsenal for an appropriate response.
First, the United States needs an oversight board that can proactively and expeditiously identify government vulnerabilities, make recommendations, and penalizes contracted companies for security violations. While valuable, the report on Russian meddling took years to produce. In theory, an oversight board would be flexible enough to both produce reports and perform risk assessments.
While the hack is still under investigation, there are some red flags that cannot be ignored. SolarWinds’s server was left relatively unprotected with a weak password (solarwinds123), and the sign-in certificate was somehow manipulated to hack the systems. SolarWinds’s server was continuously exposed since at least 2018, thereby allowing anyone with a valid sign-in certificate to log onto its network. A government oversight board would have the ability to investigate and penalize a company or an individual for placing such compromising information online.
Second, a comprehensive systems upgrade is critical. Current U.S. cyber defenses — such as the Cybersecurity and Infrastructure Security Agency’s Einstein — failed because they didn’t have sensors to recognize and neutralize malicious traffic or an information-sharing agreement with agencies to identify servers that shouldn’t be sending information internationally. Likewise, the Pentagon’s cloud-based software is antiquated and vulnerable to attack (an upgrade is well in order). Of course, such upgrades require both funding and congressional will.
Third, cyber-offensive activities should be an option in the future. The National Security Agency has the capability and the know-how to conduct cyberattacks through the agency’s elite hacking unit known as Tailored Access Operations. However, such operations are rarely acknowledged, and that should change. There should be known penalties for cyberaggression.
The National Security Agency conducted a cyberattack against Iran using the Stuxnet virus, but the operation received little acknowledgment from the U.S. government. The Stuxnet virus destroyed thousands of Iran’s centrifuges at the Natanz powerplant that could have been used to make a nuclear weapon.
Additionally, in 2018, the U.S. Cyber Command conducted an attack against Russia’s Internet Research Agency, successfully disrupting Russia’s information operations campaign during that year’s U.S. mid-term elections. This attack was acknowledged by the U.S. government and also sent a message that cyber aggression will not be tolerated.
The United States must be ready to respond to further cyber aggression in the future. The United States must shore up its cyber defenses and leverage cyber offense as an option for deterrence. Countries like Russia don’t seem to care too much for the carrot approach. Perhaps it is time for the stick.
Thanks go to Thomas Lawrence of Lawrence Technology Services for his technical expertise in writing this article.
The views expressed in this report are those of the author and do not necessarily reflect the official policy or position of the Department of the Army, the Department of Defense, or the U.S. Government.
Matthew J. Fecteau
Matthew J. Fecteau is a graduate of the Harvard Kennedy School of Government and a veteran of the Iraq War. He specializes in national security issues. Follow him on Twitter @matthewfecteau or email him at email@example.com.