The SolarWinds breach last year revealed a “massive” vulnerability to foreign hackers that “approaches the category of climate change” in its threat to the U.S. security, top U.S. cybersecurity experts told a recent online symposium.
On December 11, 2020, the U.S. government and the company SolarWinds were alerted by FireEye, a private cybersecurity firm, that hackers allegedly working for Russian intelligence had evaded layers of defenses in government Internet systems and penetrated the computer networks operated by the U.S. State Department, the Treasury and Commerce departments, and the Department of Homeland Security, among others.
It was the latest in a series of cyberattacks against U.S. targets — as well as one of the most alarming signals of the weaknesses of America’s digital infrastructure, the experts said.
“When we see these [cyber] attacks, it’s as if we’re dancing from the tip of one iceberg to another,” said Edward Amoroso, research professor at the New York University Center for Cybersecurity.
“If we were to lower the water level the icebergs rest on, we’d see massive, massive problems. There is so much cyber activity by nation-states that are more or less doing whatever they want.”
“We have to fundamentally rethink how we do computing,” added Amoroso, who is also the CEO of Tag Cyber.
“It was evident that the Treasury and Commerce Departments, the first agencies reported to be breached, were only part of a far larger operation whose sophistication stunned even experts who have been following a quarter-century of Russian hacks on the Pentagon and American civilian agencies,” reported The New York Times last December.
Answers are still eluding the United States.
“We don’t know the full extent of the hacks and we won’t know it for years,” said Judith Germano, who is a Senior Fellow at the Reiss Center on Law and Security and at New York University’s Center on Law & Security.
President Joe Biden is under considerable pressure to announce the American government’s response. According to experts on hacking and government security, his options are limited.
Officially, the U.S. government is being “cagey” on definitively saying the Russians caused the SolarWinds breach, said Kristen Eichensehr, Professor of Law and Director, of the National Security Law Center at the University of Virginia School of Law.
“Likely Russian in origin” is as far as the official response goes as of now, says Eichensehr.
Once the retaliation level is decided, the U.S. government could over time issue indictments, roll out sanctions, or come up with a “cyber response.”
The panelists agreed that despite its massive damage, the SolarWinds breach is “not an act of war” on Russia’s part.
“What the Russians did was an intrusion that led to espionage, not an ‘attack,’ ” said Aaron Hughes, Group Vice President and Chief Information Security Officer, Albertsons Companies. Hughes previously served as Deputy Assistant Secretary of Defense for Cyber Policy at the U.S. Department of Defense in 2015-2017.
“This is traditional espionage, which the U.S. government engages in as well,” observed Eichensehr.
The sophisticated hacks pulled off by both Russia and China against a broad array of U.S. government and industrial targets — and the failure of intelligence agencies to detect them — are motivating the Biden administration and Congress to rethink how the nation should protect itself from growing cyberthreats.
Recent hacks by nation-states, described in the NYU panel as efforts put together by “thousands of engineers working together,” have exploited the same “gaping vulnerability in the existing system,” according to The New York Times.
“They were launched from inside the United States — on servers run by Amazon, GoDaddy and smaller domestic providers — putting them out of reach of the early warning system run by the National Security Agency,” reported the New York Times.
The agency, like the Central Intelligence Agency and other American intelligence agencies, is prohibited by law from conducting surveillance inside the U.S., to protect the privacy of American citizens.
But the FBI and the Department of Homeland Security — the two agencies that can legally operate domestically — were also blind to what happened, raising additional concerns about the nation’s capacity to defend itself.
“U.S. security leaders have long expressed caution about deploying offensive cyberattacks to cripple adversaries’ critical infrastructure or expose embarrassing information on their leaders, for fear of triggering an escalating conflict that could see foreign hackers shutting off the lights in the United States,” said Politico in the Weekly Cybersecurity column posted Monday.
“The United States’ unique digital vulnerabilities and the pressure to protect the intelligence community’s prized hacking tools will make it hard for President Joe Biden to punish Russia and China for their massive cyberattacks,” reported Politico.
Nancy Bilyeau is deputy editor of The Crime Report, and writes frequently on cyber issues.