After Russian Cyberattack, Looking for Answers and Debating Retaliation
Key senators and corporate executives warned at a hearing on Tuesday that the “scope and scale” of the hacking of government agencies and companies, the most sophisticated in history, were still unclear.
We do need to enhance the sharing of threat intelligence. Now, that’s the term in the cybersecurity community for information about attacks that people are seeing. And our basic challenge today is that that information too often exists in silos. It exists in silos in the government, exists in different companies. It doesn’t come together. Who knows the entirety of what happened here? One entity knows. It was the attacker. Perhaps the most significant finding to date in our investigation is what the threat actor used to inject Sunburst into our Orion platform. Sunspot, which we discovered poses a grave risk of automated supply chain attacks through many software development companies, since the software processes that SolarWinds uses is common across the industry. The attackers came in through the SolarWinds implant and the very first thing they did is went for your keys, your tokens. Basically, they stole your identity architecture, so they could access your networks the same way your people did. And that’s why this attack was hard to find. These attackers from Day 1, they had a back door. Imagine almost a secret door into your house; and the first thing that happens when they come through that secret door is all your keys are right there. They just grab them. And now they can get into any locks you have in your house.
“Who knows the entirety of what happened here?” Brad Smith, the president of Microsoft, told the Senate Intelligence Committee on Tuesday. “Right now, the attacker” — which appears to be the S.V.R., one of Russia’s main intelligence agencies — “is the only one who knows the entirety of what they did.” Microsoft was one of the first to raise the alarm about the intrusion into networks across the government and private sector.
The hearing was a rare public airing of one of the biggest failures of American intelligence since Pearl Harbor and the Sept. 11, 2001, terrorist attacks: an assault on the “supply chain” of network management software used by governments and most of the nation’s largest companies.
The National Security Agency, despite spending billions of dollars planting sensors in networks around the world, missed the evidence for more than a year — a point made by Democratic and Republican senators, who asked how long the United States would have remained in the dark.
“It could have been exponentially worse,” Senator Mark Warner, Democrat of Virginia and the new chairman of the Senate Intelligence Committee, said at the end of two and a half hours of testimony.
But no representative of the United States’ intelligence agencies, chiefly the National Security Agency, appeared at the hearing. Several senators castigated executives of Amazon Web Services for declining to attend. Amazon’s absence left no one to explain how the Russian hackers secretly used its servers inside the United States to run command-and-control centers to carry out the operation, stripping emails and other data from what Ms. Neuberger said were at least nine government agencies and more than 100 companies.
Mr. Biden’s aides are contemplating a range of responses that his national security adviser, Jake Sullivan, referred to over the weekend as “a mix of tools seen and unseen.”
Those options, according to officials familiar with the discussions, include variants of steps that President Barack Obama considered and rejected after the 2016 hacking of state election systems. They included using cybertools to reveal or freeze assets secretly held by President Vladimir V. Putin of Russia, exposure of his links to oligarchs or technological moves to break through Russian censorship to help dissidents communicate to the Russian people at a moment of political protest.
At a news briefing at the White House on Tuesday, Jen Psaki, the press secretary, said that an American response would come in “weeks, not months.” But first the United States will have to make a definitive declaration that one of Russia’s intelligence agencies was responsible.
“There is not a lot of suspense at this moment about what we are talking about,” said Mr. Smith, who added that while Microsoft had not identified the intruders, it saw nothing to contradict the tentative finding of American intelligence that Russia was “likely” to be the culprit.
Mr. Biden will then have to surmount another problem: Differentiating what the Russians did from the kind of espionage the United States does, including against its allies. Officials are already preparing the grounds for that argument. Last week, Mr. Biden called the intrusion of the malware “reckless” because it affected more than 18,000 companies, mostly in the United States. In private, American officials are already testing an argument that Russia needs to be punished for “indiscriminate” hacking, while the United States uses similar tools for only targeted purposes. It is unclear that argument will prove convincing to others to join in steps to make Russia pay.
Mr. Biden’s coming actions appear likely to include executive orders on improving the resiliency of government agencies and companies to attacks and proposals for mandatory disclosure of hackings. Many of the companies that lost data to the Russians have not admitted to it, either out of embarrassment or because there is no legal requirement to disclose even a major breach.
But the subtext of much of the testimony was that Russia’s intelligence services might have laced American networks with “backdoor” access. And that possibility — just the fear of it — could constrain the kind of punishment that Mr. Biden metes out. While he promised during the presidential transition to impose “substantial costs,” previous promises to hold Russia accountable did not create enough of a deterrent to concern them about the penalty if they were caught in the most sophisticated supply-chain hacking in history.
Mr. Smith, who has called for a “digital Geneva convention” that would begin to create norms barring some kinds of attacks, estimated that “at least a thousand very skilled, capable engineers” were involved in the hacking.
“This was an act of recklessness, in my opinion,” he said, because it infected thousands of systems that the Russians had no interest in to give them access to only a few. “It was done in a very indiscriminate way.”
Mr. Warner, Senator Marco Rubio of Florida, the ranking Republican on the committee, and others noted repeatedly that Amazon — which runs the C.I.A.’s network cloud services and is seeking other major federal contracts — was the only company that refused to send a senior executive to explain its role in the hacking. Amazon has said nothing publicly about what it knew about the command-and-control operation run from its servers in the United States.
That is a crucial issue, because the hackers appeared to understand that American intelligence agencies are prohibited from examining network activity in the United States. So by initiating the attack within American borders, they were taking advantage of domestic privacy protections to avoid being detected.
Several senators said they were concerned that such a technique, once known, would be widely used by others. “The bottom-line question is how did we miss this, and what are we still missing?” Mr. Rubio said.
In an interview, Ellen M. Lord, a former senior Pentagon official in the Trump administration, said the challenge now would be getting law enforcement agencies, the National Security Agency, the Pentagon and others to coordinate more quickly about specific cyberintrusions.
Some laws meant to protect data have made sharing information harder, she said.
“After 9/11, everybody said, ‘Oh my God, all these different groups had information,’ but they weren’t sharing,” Ms. Lord said. “It’s the same exact situation in my mind, with all of these cyberintrusions on the defense industrial base. There needs to be a clean sheet review of regulations and policies prohibiting information-sharing among local, state and federal government, so we don’t have all these stove pipes.”
Category: Technology
Source: New York Times