Is the U.S. federal government supposed to protect American companies, and their customers, from foreign hackers? If so, did it flunk miserably by not noticing the epic, 9/11-class SolarWinds hacking/spying debacle as it developed over nine months? And what, if anything are the feds doing about all this?
The White House has now placed the hacks squarely at the feet of the Russian government. Since they were revealed last December, an awful lot of virtual ink has been spilled on the topic, much of it accusations flying at the federal agencies we assume are responsible for protecting us: the National Security Agency, Department of Homeland Security (DHS), and FBI, for example.
This comment by respected New York Times cybersecurity journalists in discussing the SolarWinds and Microsoft Exchange Server (MES) attacks, is typical of many:
“But the F.B.I. and Department of Homeland Security — the two agencies that can legally operate inside the United States — were also blind to what happened, raising additional concerns about the nation’s capacity to defend itself from both rival governments and nonstate attackers like criminal and terrorist groups. In the end, the hacks were detected long after they had begun not by any government agency but by private computer security firms.”
While the feds do have metaphorical egg on their faces, so do some top technology and cybersecurity companies, such as Microsoft and FireEye. At the same time, there are some unprecedented circumstances surrounding both the SolarWinds and MES attacks. Then there’s the ongoing fact that new exploitable vulnerabilities, like those in SolarWinds’ Orion IT monitoring software, are continually being discovered in all types of hardware and software used by millions of public and private organizations.
Protection: whose job is it?
It makes no sense to assume the feds somehow should have figured out what even one of the world’s top-rated cybersecurity companies didn’t notice, until investigating what looked like a minor login discrepancy. After all, that’s what those companies do: provide services and products to help private companies and government agencies protect their IT and operational technology (OT) assets, and their data.
It was industry leader FireEye that first discovered evidence of the hack on its own network, and then found its proprietary threat-detection tools had been stolen by intruders masquerading as employees. As CEO Kevin Mandia noted during a February 60 Minutes interview, “I can tell you this, if we didn’t do investigations for a living, we wouldn’t have found it. It takes a very special skill set to reverse engineer a whole platform that’s written by bad guys to never be found.”
During the same 60 Minutes program, Microsoft president Brad Smith described the hack as the “largest and most sophisticated attack the world has ever seen.” Although he’s taken some flak for that grandiose-sounding statement, this time he’s probably right. I mean, the attackers even hacked email accounts of top DHS officials the very people responsible for detecting foreign threat actors. Fortunately, none of the compromised accounts were classified.
In a February Senate intelligence hearing, FireEye’s Mandia said that “since the front door was locked,” the hackers turned to known but little-addressed vulnerabilities. For example, it’s been claimed that known vulnerabilities in Microsoft’s software allowed hackers to fake employee identities.
In just the past two years, the number of such vulnerabilities affecting the government facilities sector alone has increased by 780%, according to the results of Claroty’s 2H2020 ICS Risk Report. Last year, a record number of critical and high-severity vulnerabilities were reported to NIST’s National Vulnerability Database.
There’s a lot more detail and complexities involved in the attacks than we can discuss here. But the expectation that government agencies are supposed to do the job of specialized private cybersecurity firms’ quality products and services — correctly installed, configured and maintained — underestimates how sophisticated and difficult to find these zero-day vulnerabilities and malware backdoors are, even by top cybersecurity firms. And that’s on the threat-hunting, offense end, which is what many of these companies, like FireEye, also do.
Playing offense at the expense of defense
As many in the cybersecurity business will tell you, the federal government has been playing offense for many years (just look at some of its spying escapades like Stuxnet, the US/Israeli cyberattack against Iran), but with very little attention to the kind of defense we came to expect from DHS post-9/11.
While there are many reasons for this, including a lack of funding and evolving threat types, one is simply a lack of cybersecurity talent. “There are three million cybersecurity jobs in the U.S. that cannot be filled because we don’t have the right resources,” Tim Mercer, founder and managing partner for IBOX Global, told EE Times. His company provides IT services, including cybersecurity, for federal, state and local governments and large prime contractors.
“A big percentage of this is in government — federal, state and local — and very large corporations,” Mercer said. “Small businesses don’t even have cybersecurity on the radar. As contractors, we have problems finding talent. Cybersecurity as a whole is so far behind.” According to a Forbes article, the problem is only worsening, especially at the more experienced end.
Another reason is the sophistication required in cybersecurity tools for defending against attacks. Technical strategist Jay Gazlay at DHS’s Cybersecurity and Infrastructure Security Agency (CISA) told the National Institute of Standards and Technology (NIST)’s Information Security and Privacy Advisory Board that the SolarWinds’ attack was so sophisticated that few, if any, of its targets could likely detect it. Not unless their identity management tools could detect the kind of user impersonations FireEye discovered, which is not common.
Today, considering the supply chain risk, organizations should assume they’ve already been hacked. “You need to deploy technology that monitors the system and surprises attackers in the process of their activities,” Chris Grove, technology evangelist for cybersecurity provider Nozomi Networks, told EE Times. “This takes not just an immense amount of knowledge that may be specific to that particular environment, but also knowing when things aren’t right, and then automating much of that knowledge. It takes both a human and automation working together.”
My next column will look at the problems the feds have with securing their own IT and OT systems and what they plan to do about it. When it comes to protecting the rest of us, recent comments by new U.S. Secretary of Homeland Security Alejandro Mayorkas sound promising.
In a March 31 statement outlining plans for strengthening U.S. cybersecurity resilience, Mayorkas had the grace to admit, “Our government got hacked last year and we didn’t know about it for months. It wasn’t until one of the world’s best cybersecurity companies got hacked itself and alerted the government, that we found out.” He pointed out that “the government does not have the capacity to achieve our nation’s cyber resilience alone. So much of our critical infrastructure is in the private sector’s hands.”
Mayorkas said DHS will strengthen its ability to disrupt ransomware attackers, and plans to increase assistance to state, local, tribal and territorial governments for cybersecurity response and recovery. An upcoming executive order will contain “nearly a dozen actions” to “improve in the areas of detection, information sharing, modernizing federal cybersecurity, federal procurement and federal incident response.”