Weeks after a massive cyber breach of U.S. government agencies and private sector companies was publicly announced, there is still not a clear response from the administration on who is responsible and what will be done about it.
While the government has yet to officially name the nation-state that is believed to be behind the hack, experts believe that the SVR – Russia’s intelligence service, was responsible and that the breach allowed them access to the internal systems of government agencies and private sector companies for months before being detected.
Russia denies involvement while cyber experts are describing the hack as one of the most damaging cyberattacks in U.S. history.
The Cipher Brief spoke with cyber expert Dmitri Alperovitch about the hack, the Russians and why the next attack may be even worse.
Alperovitch is Executive Chairman at Silverado Policy Accelerator and is a co-founder and former CTO of CrowdStrike Inc. In 2016, Alperovitch revealed Russian intelligence agencies’ hacking of the Democratic National Committee (DNC), events which unveiled the full scope of cyber influence operations being launched against the 2016 US Election.
The Cipher Brief: What you think needs to happen right now, in order to ensure that the U.S. has full insight into this breach? How does this discovery process work and how long might it take?
Alperovitch: This is going to take months. If it is indeed SVR, as it is believed to be, they’re a highly sophisticated adversary that is very good at staying inside networks for a long time and then engaging in virtual hand-to-hand combat with defenders to keep their foothold. Given the scope of this and given the number of agencies and private sector companies that have likely been compromised, many, many months is what we’re looking at before this is fully remediated.
The Cipher Brief: What’s really interesting about that is that right in the middle of these many, many months is a presidential transition. What do you think are the most important things for the outgoing and incoming administrations to do in order to allow government to stay on top of this?
Alperovitch: This is going to be very challenging because right now all of these agencies need to operate under an assumption that their network is compromised, and that all of their emails are being read by the Russians. I know a number of agencies have moved toward working on the high side – or classified networks – as a result, which is highly inconvenient and is not always doable, particularly for people who are working from home right now. This is going to be a challenge, even in the remaining days of the Trump administration, but certainly for the new government about to take office. It’s going to make it harder for them to get up to speed and begin operating.
The Cipher Brief: What level of certainty do you think is needed before the U.S. officially attributes this breach to the Russians?
Alperovitch: You need to be pretty certain that you have the right actors, so you don’t come out and attribute something and then have to correct yourself. But I think they need to come out and say publicly who they believe it is. Not necessarily because we’re going to hold Russians to account on this. This is a traditional espionage. I disagree with some of the over-hyped rhetoric we’re seeing right now calling this is an act of war. This is espionage. If the NSA had done this kind of operation, we would be commending them and giving them medals. This is a situation where it’s good on them for doing it, but shame on us for letting them.
The Cipher Brief: That was what General Mike Hayden said after the OPM hack as well.
The Cipher Brief: Given the nature of the threat and how damaging it is, how much longer can the U.S. afford to have the attitude that this is just espionage?
Alperovitch: It is painful, but you can’t have a norm saying espionage is okay, but only as long as you’re not too successful at it. That makes zero sense. And frankly, the U.S. government has been extraordinarily successful in conducting espionage campaigns. Look at Crypto AG, the story that came out this year about the supply chain compromised by the CIA of a cryptographic vendor, the vendor that was used by numerous countries that lasted over half a century. One of the most successful intelligence campaigns in history. You know, that was a legitimate intelligence operation and good for us for doing it. But it certainly wasn’t a violation of any norms. And neither is this. It doesn’t mean that we should let the Russians keep doing this, but it’s our fault for letting them.
The Cipher Brief: What do you think needs to happen to ensure that breaches like this don’t keep occurring?
Alperovitch: If we don’t treat this breach as a wake-up call, we’ll never wake up. The reality is that the most disturbing part of this is not going to be the sensitive data that was stolen, because luckily it looks like they did not get access to classified networks. But even on unclassified networks, there’s a lot of highly sensitive information. To me, the more disturbing piece is that they had extraordinary levels of access to all of these networks. If they wanted to pull a NotPetya, as they did in the Ukraine a few years ago, and destroy those networks, this country could have been brought to its knees in terms of our government, in terms of our economy, and so forth. And it is unacceptable to give any adversary or anyone else for that matter, that level of access and ability to hold this country hostage.
So, we need to reorganize our government for success. First and foremost, we need to come to terms with the fact that you can’t have 130 plus executive agencies out there doing their own cybersecurity programs. It’s just never going to work. A vast majority of them will never have the competence, the experience or the budgets to do what’s necessary. And we actually need to make CISA a true cybersecurity agency and give it the authority and the mandate to secure the federal government’s civilian networks. Luckily, the NDAA that just got passed by Congress, has provisions authorizing CISA to hunt on federal government civilian networks and even gives them the ability to take over cybersecurity programs for those agencies, but it still requires consent by that agency. The incoming Biden administration needs to look really hard, and they now have the authority to do so, to mandate to agencies that you shall indeed allow CISA to hunt, and you shall, in cases where it makes sense, allow them to run your cybersecurity, because many of those agencies have just proven themselves incapable of doing so.
The Cipher Brief: Is this more a matter of rebuilding networks, or is this more a matter of better training your people?
Alperovitch: I think it’s a matter of changing our mindset and operating under the constant assumption that we are breached, an adversary is already inside those networks, and to continuously hunt for those adversaries and eject them as quickly as possible. The fact that the Russians were able to get inside those networks and stay in for as long as nine months, is unacceptable. That is the big failure here. It is not that we didn’t see Solar Winds getting hacked. There will always be another vector, another supply chain compromise or a direct compromise, or even an insider. That’s always going to be the case. And just like in counterintelligence, we always assume that there are spies inside of our government and history tells us that that is indeed the case. We need to have the exact same assumption when it comes to cyber. An adversary is inside. Let’s go find them and eject them as quickly as possible.
The Cipher Brief: If there is a new incoming national cyber director, do you think that should be top priority?
Alperovitch: I think more importantly is the director of CISA. I think the National Cyber Director (NCD) position that was created was actually a mistake in how it was laid out and is highly likely to be quite irrelevant in the government, because they took that position out of the NSC. And by actually giving it 80 people, it is probably going to make it less effective. There is not space for an additional 80 people inside of the Executive Office Building because it’s already bulging at the seams. So, they’re likely to shuttle them off-campus somewhere and instantly make it irrelevant when they do so.
So, I don’t think the NCD is going to matter as much, but the director of CISA, particularly with those new authorities, assuming the NDAA is signed or there’s a veto override. That’s going to be one of the most powerful positions and I know the Biden administration is already looking at making CISA the center point of its cybersecurity efforts.
The Cipher Brief: What is your big takeaway from news of this breach?
Alperovitch: We’ve always known that these types of attacks were possible, and in fact, we have seen them elsewhere, such as in Ukraine with NotPetya. So, it was not at all surprising that this took place. It was surprising that the Russians were this successful for this long, without being detected. I think the U.S. government, and frankly, the entire cybersecurity industry needs to have a lot of introspection and reflection on the massive failure that’s occurred here. And again, this absolutely needs to serve as a wake-up call to all of us.
Read also Washington’s Cyber Reckoning exclusively in The Cipher Brief
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief