Cybersecurity reporter Joseph Menn on the massive breach the US didn’t see coming

In December, details came out on one of the most massive breaches of US cybersecurity in recent history. A group of hackers, likely from the Russian government, had gotten into a network management company called SolarWinds and infiltrated its customers’ networks. This access was then used to breach everything from Microsoft to US government agencies, including the US Treasury and departments of Homeland Security, State, Defense, and Commerce.

On today’s episode of Decoder, I’m joined by Joseph Menn, a reporter at Reuters who focuses on cybersecurity investigations and the author of the new book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. We discuss what this breach means for US security and the companies in SolarWinds’ supply chain that might have been affected.

The SolarWinds hack hasn’t really gotten the attention it deserves because it happened during the chaos after the presidential election. But it’s a big deal. And it raises a lot of questions about how to respond to such a massive attack and the responsibility of the private sector when it comes to national security. There aren’t a lot of easy answers here, but it’s clear that change is coming with the Biden administration.

Okay, Joseph Menn. Here we go.

Below is a lightly edited excerpt from our conversation.

It’s complicated that the hack happened in an election year. The Trump administration, and specifically President Trump himself, is strangely cozy with Russia. Now, there’s a new administration. It seems like Biden’s going to take a more aggressive posture toward Russia. In the middle of all this, there’s the election security noise, Trump fires Christopher Krebs, who is in charge of cybersecurity. How does that all play into this? Is it we didn’t want to say it was Russia too loudly, and now we’re comfortable saying it a little louder? Is it the Trump administration did not have a good cybersecurity infrastructure?

I don’t think that’s something that we know yet. It may have been a bit of insurance on the part of the Russians that, under Trump, the United States government did not aggressively punish — particularly, the executive branch did not aggressively punish — Russia for a lot of really bad behavior that other governments would have done more about. There were sanctions, but it was driven by congressional action. So you don’t have to be a big conspiracy theorist to think the Russians believe, “Well, we’ve gotten away with invading Ukraine. We can do this big hack, and even if we get caught out, this is the least likely White House in memory to sound the alarm and rattle a saber at us.” So from here, I certainly doubt that there was any foreknowledge of this in the administration. But from the attacker perspective, the US is distracted, and has a president that’s less likely than predecessors to yell and scream and threaten sanctions if we are found out.

We’ve got a new president now. Has the posture toward particularly this act, but also Russia cyber operations, shifted at all yet?

[Sighs]

That was a very telling sigh.

The administration’s been on the job for a few days, and in the heated political atmosphere, there’s a wide spectrum of noise before things are sorted out. During the transition, Biden said that this is something specifically that is going to be responded to in a big way. Some folks said this is an act of war. The people who’ve been at this for a long time and don’t have a particular axe to grind are not saying it’s an act of war. There’s no evidence of destruction. There’s no human life lost. This is classic espionage. It’s just that we got owned really badly. It’s similar, I mean, in my mind, to the hack of the office of personnel management widely attributed to China some years ago where they got classified personnel files on the majority of folks in the US government and outside of the US government with a secret clearance or above. That was really, really bad, but it wasn’t warfare. That’s an espionage win. And we’re trying to do exactly that sort of thing to China and Russia and other governments.

But I think it’s clear that there will be some kind of response. There are going to be hearings on this, but like many things cyber, it has a lot of aspects. Like, “Are we sure that country X was behind this? Can we prove that to the world’s satisfaction? And then do we respond economically or diplomatically and other ways?” Hopefully not militarily, though I suppose that’s a possibility. And then, “How do we stop this from happening again?” And that’s really hard and complicated.

It involves defense versus offense. It involves asking how you secure the supply chain. What do you do about employees in other countries and contractors in other countries? It’s similar to the trade war with China. Our computers and their software go back and forth dozens of times before they wind up on your desk. And it is pretty impossible to secure completely. So what do you do about that? Do you try and undo all these global relationships because you’re sometimes rivals? If you do, you’re going to hurt the economy in a pretty major way. So there are big thorny issues, and it’d be nice if the new administration and Congress take that seriously and come up with a plan. It hasn’t really happened before.

A breach of this scale, involving the biggest companies in America and the American government itself, is usually the thing that catalyzes change, that leads to a disclosure law or a reframing of the American posture toward offensive cyberattacks. But because of the transition [from Trump to the Biden administration] and the sort of instant quiet from the attacked parties, it doesn’t feel like this is that moment. Is there a group of people who are going to tackle this in the Biden administration? Does he have an appointee set who has the expertise to raise the profile of this again and build the political capital to actually make the change?

Well, that’s really interesting. And this is playing out in real time. Biden has appointed most of the top cyber people. As of this morning, there were one or two key holes. But among other things for the first time, there’s a deputy national security adviser for cyber, Anne Neuberger. Anne is very well-regarded, was at the NSA for many, many years and, among other things, was fulfilling part of the NSA’s mission to cooperate with industries on defense. There are a number of people who have really strong military and government experience. As of this weekend, the suspected new cyber czar inside the White House is Jen Easterly, who was one of the people that helped create Cyber Command as a separate unit of the Pentagon, the people responsible for running cyberattacks in other countries.

So you have really intelligent, really experienced people. Do they have the kind of broad, blue sky, strategic thinking that might help turn around this really gnarly problem? I don’t know. We’ll see. The fact that both houses of Congress are from the same party probably helps, as does the fact that a lot of this isn’t that partisan in a terribly polarized environment. Nobody’s a big fan of getting hacked to pieces by the other countries. So I am more optimistic now than I have been in 20 years of covering this, but that doesn’t mean I’d actually bet on a complete turnaround.

So you’re starting from a low bar, is what you’re saying.

Yes.

You mentioned that this looks like an espionage operation. What’s interesting about that is you come from Microsoft’s view of espionage, but kind of the way Americans would see it is, “Well, that’s Microsoft’s problem. We don’t need the government or the Pentagon…” or “That doesn’t merit a military response,” which is kind of what you’re describing. But at the same time, this is a major national security problem. How does that play together?

So that’s a really good question. … Very, very rarely do you see military response to legit espionage targets being attacked. But there’s the separate issue, which you hit on, which is like, is this a Microsoft problem? In my opinion, it is not fair to expect private companies, no matter how large, to fend off entire nation-states. The job of the US government should be to defend private enterprise from other countries.

It’s really, really hard when you try to get into the weeds on that because sometimes a nation-state will use the same techniques as a 16- or 17-year-old. So there should be some reasonable standard of defense that is expected of companies. But again, at the really, really high end, if the Russians got into NSA or the Chinese got into the classified personnel files, it doesn’t matter how big a company you are. You’re going to get owned if they really want you to. So that is one of the big strategic issues that I would hope that the White House and Congress address. Where do you draw the line? What kind of help can be provided? And what’s overreach?

Do you think there’s a cultural shift with the new generation of lawmakers? I mean, we have some younger lawmakers now. We have lots of younger people who’ve come up in things like Cult of the Dead Cow in parts of the government. People are good at computers now in a way that maybe they weren’t so good at computers 10 years ago.

Yes, this is one of the good things. I mean, in the olden days when I started covering this, the only good thing you could say about cybersecurity was, “Well, awareness is rising.” And now it’s true. There are people in Congress that actually understand. There are actual engineers in Congress. You still have a hearing where they drag in [Facebook CEO Mark] Zuckerberg and members of Congress ask embarrassing questions, but it is a big change from where it was and there are tech-savvy staffers at all levels. They’re digital natives and they understand these trade-offs. I think that there’s a better chance than we’ve ever had of people having a real discussion about this.

But again, I am concerned more about the establishment, the Four-Star Generals, the people running intelligence agencies, people in the White House who still think of warfare and intelligence in the old terms and don’t get into questions of the private sector versus the public sector stuff because there aren’t really straightforward answers. Right now, our government has been so dysfunctional that you couldn’t get the two houses to agree on pizza toppings, so how are you going to tackle something like this? I mean, the Chamber of Commerce, the private lobbying group, was outraged that folks in the Department of Energy and [Department of Homeland Security] wanted to put out voluntary guidelines for best practices to protect nuclear plants or power plants from hackers because they thought that was a slippery slope that would lead to more regulation. We can’t have that crap anymore. We need people actually willing to give and take and deal with complicated issues, or we’re going to keep getting owned like this.

Source: The Verge