Recent news articles have all been talking about the massive Russian cyber-attack against the United States, but thats wrong on two accounts. It wasnt a cyber-attack in international relations terms, it was espionage. And the victim wasnt just the US, it was the entire world. But it was massive, and it is dangerous.
Espionage is internationally allowed in peacetime. The problem is that both espionage and cyber-attacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isnt at all targeted, the entire world is at risk and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.
Heres what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR previously known as the KGB hacked into SolarWinds and slipped a backdoor into an Orion software update. (We dont know how, but last year the companys update server was protected by the password solarwinds123 something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.
This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself and can affect all of a suppliers customers. Its an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.
SolarWinds has removed its customers list from its website, but the Internet Archive saved it: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds said that it believes fewer than 18,000 of those customers installed this malicious update, another way of saying that more than 17,000 did.
Thats a lot of vulnerable networks, and its inconceivable that the SVR penetrated them all. Instead, it chose carefully from its cornucopia of targets. Microsofts analysis identified 40 customers who were infiltrated using this vulnerability. The great majority of those were in the US, but networks in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted. This list includes governments, government contractors, IT companies, thinktanks, and NGOs and it will certainly grow.
Once inside a network, SVR hackers followed a standard playbook: establish persistent access that will remain even if the initial vulnerability is fixed; move laterally around the network by compromising additional systems and accounts; and then exfiltrate data. Not being a SolarWinds customer is no guarantee of security; this SVR operation used other initial infection vectors and techniques as well. These are sophisticated and patient hackers, and were only just learning some of the techniques involved here.
Recovering from this attack isnt easy. Because any SVR hackers would establish persistent access, the only way to ensure that your network isnt compromised is to burn it to the ground and rebuild it, similar to reinstalling your computers operating system to recover from a bad hack. This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they cant be sure. There are many ways to establish persistent access that survive rebuilding individual computers and networks. We know, for example, of an NSA exploit that remains on a hard drive even after it is reformatted. Code for that exploit was part of the Equation Group tools that the Shadow Brokers again believed to be Russia stole from the NSA and published in 2016. The SVR probably has the same kinds of tools.
Even without that caveat, many network administrators wont go through the long, painful, and potentially expensive rebuilding process. Theyll just hope for the best.
Its hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more. At this point, theres no indication that any classified networks were penetrated, although that could change easily. It will take years to learn which networks the SVR has penetrated, and where it still has access. Much of that will probably be classified, which means that we, the public, will never know.
And now that the Orion vulnerability is public, other governments and cybercriminals will use it to penetrate vulnerable networks. I can guarantee you that the NSA is using the SVRs hack to infiltrate other networks; why would they not? (Do any Russian organizations use Orion? Probably.)
While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, virtually a declaration of war by Russia on the United States While President-elect Biden said he will make this a top priority, its unlikely that he will do much to retaliate.
The reason is that, by international norms, Russia did nothing wrong. This is the normal state of affairs. Countries spy on each other all the time. There are no rules or even norms, and its basically buyer beware. The US regularly fails to retaliate against espionage operations such as Chinas hack of the Office of Personal Management (OPM) and previous Russian hacks because we do it, too. Speaking of the OPM hack, the then director of national intelligence, James Clapper, said: You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I dont think wed hesitate for a minute.
We dont, and Im sure NSA employees are grudgingly impressed with the SVR. The US has by far the most extensive and aggressive intelligence operation in the world. The NSAs budget is the largest of any intelligence agency. It aggressively leverages the USs position controlling most of the internet backbone and most of the major internet companies. Edward Snowden disclosed many targets of its efforts around 2014, which then included 193 countries, the World Bank, the IMF and the International Atomic Energy Agency. We are undoubtedly running an offensive operation on the scale of this SVR operation right now, and itll probably never be made public. In 2016, President Obama boasted that we have more capacity than anybody both offensively and defensively.
He may have been too optimistic about our defensive capability. The US prioritizes and spends many times more on offense than on defensive cybersecurity. In recent years, the NSA has adopted a strategy of persistent engagement, sometimes called defending forward. The idea is that instead of passively waiting for the enemy to attack our networks and infrastructure, we go on the offensive and disrupt attacks before they get to us. This strategy was credited with foiling a plot by the Russian Internet Research Agency to disrupt the 2018 elections.
But if persistent engagement is so effective, how could it have missed this massive SVR operation? It seems that pretty much the entire US government was unknowingly sending information back to Moscow. If we had been watching everything the Russians were doing, we would have seen some evidence of this. The Russians success under the watchful eye of the NSA and US Cyber Command shows that this is a failed approach.
And how did US defensive capability miss this? The only reason we know about this breach is because, earlier this month, the security company FireEye discovered that it had been hacked. During its own audit of its network, it uncovered the Orion vulnerability and alerted the US government. Why dont organizations like the departments of state, treasury and homeland security regularly conduct that level of audit on their own systems? The governments intrusion detection system, Einstein 3, failed here because it doesnt detect new sophisticated attacks a deficiency pointed out in 2018 but never fixed. We shouldnt have to rely on a private cybersecurity company to alert us of a major nation-state attack.
If anything, the USs prioritization of offense over defense makes us less safe. In the interests of surveillance, the NSA has pushed for an insecure cellphone encryption standard and a backdoor in random number generators (important for secure encryption). The DoJ has never relented in its insistence that the worlds popular encryption systems be made insecure through back doors another hot point where attack and defense are in conflict. In other words, we allow for insecure standards and systems, because we can use them to spy on others.
We need to adopt a defense-dominant strategy. As computers and the internet become increasingly essential to society, cyber-attacks are likely to be the precursor to actual war. We are simply too vulnerable when we prioritize offense, even if we have to give up the advantage of using those insecurities to spy on others.
Our vulnerability is magnified as eavesdropping may bleed into a direct attack. The SVRs access allows them not only to eavesdrop, but also to modify data, degrade network performance, or erase entire networks. The first might be normal spying, but the second certainly could be considered an act of war. Russia is almost certainly laying the groundwork for future attack.
This preparation would not be unprecedented. Theres a lot of attack going on in the world. In 2010, the US and Israel attacked the Iranian nuclear program. In 2012, Iran attacked the Saudi national oil company. North Korea attacked Sony in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is hacking the US power grid, and the US is hacking Russias power grid just in case the capability is needed someday. All of these attacks began as a spying operation. Security vulnerabilities have real-world consequences.
Were not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the worlds supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically criticizing the Russians for doing the same thing we do every day wont help create the safer world in which we all want to live.
The rest is here:
The US has suffered a massive cyberbreach. It's hard to overstate how bad it is - The Guardian
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Speakers Association New Jersey Chapter NSA [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Security Agency - Wikipedia, the free encyclopedia [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA - Satu Hari Di Bulan Juni (TULUS) (COVER) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Full Show: Disband The NSA or; Corruption in the Capitol FO SHIZZLE {aTV002} - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Hong Kong: Protesters blow whistles for NSA whistle blower - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 2 of 2) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- USA: NSA leaker Snowden is a hero, say Washington protesters - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- ShmooCon 2014: The NSA: Capabilities and Countermeasures - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA ~ (Autodidactism) Whistleblowing - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- The Mises View: Our NSA Economy | Mark Thornton - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- George Galloway's Sputnik: Ewen MacAskill on Guardian / Edward Snowden NSA leaks (26Apr14) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Dropping #NSA Knowledge Like a Clumsy Librarian - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA DOCUMENTARY SIX YEARS BEFORE SNOWDEN - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Knew Of Heartbleed Bug, Refused To Protect Americans - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Former NSA Head To Become Columnist For Conservative Paper To Discuss Intelligence - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 1 of 2) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Keynote Address by Shri Shivshankar Menon, NSA at International Seminar on Kautilya - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA WHISTLEBLOWER - TOM DRAKE - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Wiretapping: A 4th Amendment Violation?: Blake Norvell at TEDxSMU - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Rucka Rucka Ali Blurred Lines Parody Obama Been Watchin' NSA - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Hang with Rand: Email Privacy, NSA Spying, and Defending Our Civil Liberties - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Surveillance and What To Do About It - Bruce Schneier - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Umfrage: NSA-Spionage und die Bundesregierung | Politik direkt - So ticken die Deutschen - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- CIA & NSA DIRECTED ENERGY WEAPON ATTACK ON WHISTLE BLOWER - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA TARGETED OBAMA, CONGRESS, SUPREME COURT, & THEIR SPOUSES, CHILDREN - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- Book TV - 2014 San Antonio Book Festival: Panel on the NSA, Big Brother, and Democracy - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- READER SUBMITTED: NSA CT April 2014 Meeting [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Throwdown: John Oliver v. 60 Minutes [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- New water records show NSA Utah Data Center likely behind schedule [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- German opposition says US should destroy Merkel's NSA file - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- MVI 1847 Obama's NSA Denies FOIA About MH 370! - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance 2 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance Panel 1 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA reveals some cyber security flaws are left secret [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- NSA data center uses less water than expected [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- April 2014 Breaking News Do you use Google or Yahoo? NSA Intercepts Google And Yahoo Traffic - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Rand Paul My Reaction To Judge Ruling NSA Spying On Americans Illegal Is He's Exactly Right - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (6/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (3/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (5/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (1/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Germany: NSA may have accidentally outed secret base - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Dick Cheney Gets Awkward On Fox & Friends Over NSA Spying - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- February 2014 Breaking News Barack Obama Gun control NSA worldwide people control last day - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- MVI 1871 NSA Might Be OnTo Me! - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Installations-Wizard - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Hands On - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- CNET Update NSA spy games targeted World of Warcraft ! Byy Adana - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Supreme Court could weigh in on NSA case, justice says [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- New NSA chief: Agency has lost trust [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA on Heartbleed: 'We're not legally allowed to lie to you' [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What's The NSA Doing Now? Training More Cyberwarriors [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Anonymous NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Cutting off H2O to the NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Brazil: Greenwald slams US media, shares tips to avoid NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA Interception: Spy malware installed on laptops bought online - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA IS TRYINGG 2 KILL ME FAMS - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Hacking is NSA's 'growth area,' Times says in agency profile! - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Judge Napolitano 'It's Time for Congress to Clip the NSA's Wings' - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Global Economic Crisis 2013 Economic Terrorism, NSA CIA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What was more popular on Twitter, NSA, NRA or NBA..today? - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- THE CIA , FBI and NSA Spying Technology is Free and out in the open , DOWNLOAD IT NOW - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- CIS111: NSA Uncovered - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (4/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (2/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Budget 2014 Malaysia mystery NSA listening in - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA misrepresented the scope of its data collection - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA whistleblower Edward Snowden: 'I don't want to live in a society that does these sort - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA: the story of the summer - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Thinkerview - Interview B Bayart - Neutralit du net, CSA NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- German Chancellor Angela Merkel visits US, after the NSA eavesdropping scandal - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA Reveals Planned Police State - US to enter MARTIAL LAW - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA spies on more US citizens than Russians Snowden [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- THE NEXT NSA?Police under scrutiny for using spying technology [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Ukraine and NSA will test Merkel - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Civil liberty activists say Obama's curb on NSA don't go far enough - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- The Latest Attacks On NSA Whistleblower Edward Snowden - Kevin Gosztola Discusses - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- NSA proof phone Case - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Still Report #246 - NSA Classifies MH370 Material - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]