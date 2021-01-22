Remember the serious hacking crimes that infiltrated the Treasury and Commerce Departments? It’s a question that in most other month-long periods of recent American history would not need to be asked. To learn that Russia sponsored, promoted, and conducted such egregious intelligence breaches would be some of the most important and actionable news outside of what we’ve been through lately—reeling in the pandemic’s effects and morphs, taking in a riotous siege on the hallowed halls of Congress, trying to understand a general election. Those are just the hits, mind you. Each of those phenomena have rippling effects that we must contend with too.
Amidst all of that, though, we were in fact hacked by the Russians. We now understand with reliability that the Kremlin was responsible. We do not yet, if ever, understand all of those incidents’ impacts.
SolarWinds, Inc., is a U.S. company that’s kind of a big deal. Twenty-two years ago it was created in Tulsa and is now headquartered in Austin. It’s a tech firm not unlike many others. They help businesses with their technological needs, manage networks, build IT infrastructures. They take the weight and learning curve of high technology off the shoulders of their clients. In 2009 they went public and now are traded on the New York Stock Exchange with nearly (and likely shrinking) a billion dollars in sales every year.
About one month back, we learned more about SolarWinds when reports began surfacing that 18,000 of their customers who used a particular software solution were hacked between March and June last year. Among those thousands were some organizations partially owned, in concept, by you and me. The U.S. Treasury Department, the National Telecommunications and Information Administration within the U.S. Department of Commerce, and the U.S. Department of Homeland Security were all infiltrated. Our victimization was shared with that of NATO, numerous U.K. ministries, the European Parliament, and many key private firms, such as AstraZeneca (a COVID vaccine producer) and FireEye (a major cybersecurity player).
These types of hacking crimes are collectively known as supply chain attacks. They’re not new. In fact, one of the earliest poster children of massive, commercial hacking incidents surrounded Target in 2013 when 40 million customers’ private data was stolen. How did such a retail behemoth with a recently installed, multi-million-dollar cyber-defense system get breached? Through its supply chain, meaning that Target and its 1,800 stores all employed countless contracted services, the chain of suppliers, including those who helped them with heating and air conditioning the stores. Sophisticated hackers, not even implying that it takes a nation-state, knew better than to attack Target itself. Instead, they hacked an HVAC company, and then weaseled into Target through that link in the chain and dropped the computer virus into Target’s systems. It’s somewhat related to the Trojan Horse narrative, though with supply chain attacks Troy would have invited the Greeks into the city rather than the subterfuge of a “gift” bearing attackers.
In the SolarWinds case, there was even a lesson applicable to all of us small fries. You might still wonder how, even with the supply chain tactic, the breach ultimately occurred. I’ve admonished many times over about using garbage passwords. There are countless valid approaches online, all of which require you to use passwords that aren’t easy for your (or my) own memory. That’s kind of the rule. Take this case that is costing billions and causing unknown security anxieties. The arduous password that tricky Russian hackers got through: solarwinds123. No kidding. A technology firm with decades of experience, which implies decades of cyber-defense experience deployed the crafty, bullet-proof password of its own name followed by “123.” SolarWinds’ employees passwords were also found online with relative ease. We know they told the government they were secure because without attesting to the same, no contracts. Sad. Deleterious.
Soon after learning that SolarWinds provided that supply chain channel to the hackers we also knew that it was Moscow behind it all. A careful reader with perfect memory will recognize from this column or elsewhere “Cozy Bear,” the Russian hacker group behind the SolarWinds attack. More formally, and written less frequently, Cozy Bear is known as Advanced Persistent Threat 29, such as stars are initially named, or ATP29. It was the Dutch at first that linked Cozy Bear to the Russians when security camera footage after our 2016 elections identified Cozy Bear operatives as being led by Russia’s Foreign Intelligence Service. We need not repeat that Russia did, in fact, meddle in those elections. Though, I guess I just did.
Now what? First, let us all not have this critical breach escape scrutiny. True, there are many other wackadoo events in the world as I type (see above and more). This, however, has not dissolved into the fray. On the contrary, the incident has all but halted the Defense Department’s ongoing $2 billion cybersecurity project. I suppose the basic rationale, which might fly in the face of logic, is that rather than continuing to build a massive cybersecurity program right on the heels of such serious, state-sponsored breaches, they’d best figure out to the final degree what happened there and how to defend against it again. Cops and robbers, as I’m apt to print.
See, even they at Defense were hacked in this mess. The Pentagon swears that while it was breached there were no real effects. Okay. This major build-up of hacking defenses has been years in the making, from a 2015 directive. Since then the hackers have become more sophisticated. The vulnerabilities have expanded. The supply chains grown. Yet, the project stands still, more or less. Bloomberg’s even quoted from classified sources that, long before SolarWinds, the project “resulted in poor cybersecurity findings.”
We’re usually nonplussed about the pace of government, but here and now we need action.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
