Kevin Mandia, CEO, FireEye
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
That’s how the unraveling of a cyberattack that experts say could take ‘years’, to fully understand, began. A few days after the FireEye disclosure, a vendor company to the U.S. government and the private sector, SolarWinds, was also breached. CEO, Kevin B. Thompson posted a video addressing the hack, saying the company has launched its own investigation and is cooperating with federal investigators, including investigators from the U.S. Intelligence Community.
While the U.S. government has yet to publicly name the attacker, privately, officials say Moscow was behind it. Moscow denies involvement.
How Bad is It?
Since the initial disclosure, the U.S. government has produced a steady list of government departments and agencies that are believed to have been compromised, including the Department of the Treasury, The Department of Commerce, The Department of Homeland Security, and possibly The Departments of State and Defense and The National Institutes of Health. Last week, The Department of Energy and the National Nuclear Security Administration were added to the list.
DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive on December 13, with Acting Director Brandon Wales saying, “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” and that the “directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
On a company blog last week, Microsoft President Brad Smith referred to the hack as “…a cybersecurity superspreading event,” calling it a moment of reckoning and saying:
Brad Smith, President, Microsoft Corporation
“This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.”
The magnitude of this latest attack could take years to understand, says Cipher Brief Expert and former Homeland Security Advisor to President Trump, Tom Bossert, who wrote in a New York Times OpEd that:
Tom Bossert, Former Homeland Security Advisor to the President
Former Homeland Security Advisor to the President
“The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets,” adding, “While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.”
Palo Alto CEO Nikesh Arora told CNBC’s Jim Cramer that:
Nikesh Arora, Chairman & CEO, Palo Alto Networks
“Effectively, you have the backdoor keys to 18,000 customers if they have not been able to protect themselves against this patch, or they've been diligent and downloaded this patch. So, this is going to be a big one. This is going to be known as one of the top five attacks in the history of cybersecurity,” adding, “…the people who have coordinated this sophisticated attack have the keys to various organizations and they've selectively gone after the biggest targets. And it's still not clear what the extent and the expense of this impact is, but I think we're going to keep learning more and more over time. And this will continue to have repercussions, depending on how far and how deep this attack has infiltrated.”
We asked Cipher Brief Expert Benjamin Powell, Co-Chair of the Cybersecurity, Privacy and Communications Practice at Wilmer Hale, what needs to happen now to ensure that hack victims have full insight into all aspects of the breach.
Benjamin Powell, Co-Chair of Cybersecurity, Privacy and Communications Practice, Wilmer Hale
“Forensics, forensics, forensics. Deep technical understanding of all aspects of the TTPs used by the threat actor here,” said Powell. “Note that this is still very much developing given the breaking announcement that "CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated." This will need to be combined with information sharing between government and private sector to fully understand the incident.”
Private versus Government Response
How you respond to the latest breach depends in part, on where you sit. The U.S. Government has been here before. A hack of the Office of Personnel Management (OPM) in 2014, compromised millions of government employee’s personnel information in what was, at that time, believed to be the worst breach of a U.S. government network in U.S. history. Beijing was suspected of being behind it. Experts agreed at the time that it was an incredibly effective and damaging act of espionage against the U.S., but not an act of war. Government responses to hacks like this haven’t always been made public and the reason given has been that details of a response could potentially compromise the U.S.’ own sources and methods, the basis for the U.S. classification system.
On the latest breach, Commander of U.S. Cyber Command and head of the NSA, General Paul Nakasone has remained eerily quiet, but Jack Goldsmith, a Harvard Law School Professor who worked in the Bush Administration, told The New York Times that “The U.S. government has no principled basis to complain about the Russia hack, much less retaliate for it with military means, since the U.S. government hacks foreign government networks on a huge scale every day.”
If you’re sitting in the private sector and are the target of a nation-state actor, it’s a whole different conversation. The debate over cyber hacks directed at private sector companies has long been a difficult issue to address. The Cipher Brief sat down with former NSA and CIA Director, General Michael Hayden (Ret.), who is also a Cipher Brief expert and board member, who said in 2018 that when it comes to private sector protection, The Cyber Calvary Ain’t Coming. So, what does that mean for companies trying to compete against cyber bandits that operate outside anyone’s rule of law?
General Michael V. Hayden (Ret.), Former Director, NSA< CIA
(November 2018) “You know, I’m still of the belief that government, all governments, but particularly ours, are going to find it very, very hard to provide adequate cyber security just because of the nature of the domain, because of the political sensitivity, and of privacy,” said Hayden in a 2018 interview. “So, one of my constant themes in my homilies around the country is that you’re on your own up here more than you think you are, so you’re just going to have to take more responsibility for your own well-being than you have had to do in the physical space, for a long time.”
Where Do We Go from Here?
The Cipher Brief tapped our experts and industry leaders for their perspective on what the latest breach means, how it could force a faster path to information sharing between the public and private sectors, and how it changes the national security game moving forward.
What needs to happen right now to ensure that we have full insight into all aspects of this breach?
Susan M. Gordon, former Principal Deputy Director of National Intelligence
"The only way to have full insight—ever—is for each affected entity to do the hard work of understanding their situation from initial vulnerability, to pathway of penetration, to actual loss, and to remediation. There does need to be sufficient pressure on them that they do it quickly, thoroughly, and report on their findings. In addition to answering to their own organization and stakeholders, they must share the information - all of it - with some responsible, outside authority who can collect the data so it can be aggregated and shared as part of way forward. There will be resistance to this latter effort in the name of confidentiality and privacy or even security, but the fact that we don’t share routinely what each experience is one of the reasons we are in this mess. Lots of lessons are individually learned, but few are collectively applied. If nothing else, this hack proves again that we are a connected ecosystem, not independent, isolated entities. And the intelligence, law enforcement, and cybersecurity communities need to share what they know with the people who need it, not just with whom they are comfortable sharing."
Glenn Gerstell, Former General Counsel, National Security Agency
"Given the stealthy nature of the attack — undiscovered for months — it will take some time, if ever, before we know the full scope of the breach. At a minimum, there will be Congressional investigations, perhaps a national commission. The forensic work will be painstaking, involving review of server logs and other information, so this will not be a quick exercise."
Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
"This is going to take months. If it is indeed SVR, as it is believed to be, they're a highly sophisticated adversary that is very good at staying inside networks for a long time and then engaging in virtual hand-to-hand combat with defenders to keep their foothold. Given the scope of this, given the number of agencies and private sector companies that have likely been compromised, many, many months is what we're looking at before this is fully remediated."
Can a cyber breach of this magnitude be considered an act of war?
Susan M. Gordon, former Principal Deputy Director of National Intelligence
"It is a consequential attack on America. It is not simply the age-old profession of espionage being effected digitally. The impact is huge and systemic; the national security and economic costs will be massive; and our inability to ever fully assess the extent of their penetration means we cannot be sure that they have not laid the foundation for physical destruction. It demands response, and in finding our voice and our way forward, we will begin the establishment of enforceable norms and ultimately deterrence. That “it hasn’t worked to date” cannot be justification for inaction."
Glenn Gerstell, Former General Counsel, National Security Agency
"If it looks like it's just classic espionage, with no cyber theft or damage, then it's hard to see how this qualifies as a basis for the use of force in response. But we don't know that yet."
How much could remediation and rebuilding of the networks in the U.S. cost and how long will it take?
Gilman Louie, Chairman & CEO, LookingGlass Cyber Solutions
"We know rebuilding the networks for the U.S. government will cost a significant amount of money. The bigger question, and one that will be far more costly, is what’s the cost and impact for the IT supply chain? The truth is, as of today, this is a “billions of dollars” problem that extends far past the U.S. government’s networks. This will take years."
If the U.S. doesn't get better about this, it could strategically change the dynamic in the future. What do you think needs to happen to ensure that breaches like this, don't keep occurring?
Dmitri Alperovitch, Executive Chairman, Silverado Policy Accelerator
"If we don't treat this breach as a wake-up call, we'll never wake up. The reality is that probably the most disturbing part of all of this is not going to be the sensitive data that was stolen, because luckily it looks like they did not get access to classified networks. But even on unclassified networks, there's a lot of highly sensitive information. But to me, the more disturbing piece is that they had extraordinarily levels of access to all of these networks. If they had wanted to pull a NotPetya, as they did in the Ukraine a few years ago, and destroy those networks, this country could have been brought to its knees in terms of our government, in terms of our economy, and so forth. And it is unacceptable to give any adversary or anyone else for that matter, that level of access and ability to hold this country hostage."
How do you feel about retaliation once attribution is determined? What are the ‘tools in the box’ that should be on the table?
Benjamin Powell, Co-Chair, Cybersecurity, Privacy and Communications Practice, Wilmer Hale
"The tools in the box will depend on if this is determined to be intelligence gathering activities - or is this activity in a different category. The tools will depend on how the US government views this activity — as traditional espionage or something that has crossed some type of line. That may determine which "tools" are pulled out of the box and used here."
Given what we already know from this breach, what cyber gaps still exist?
Gilman Louie, CEO & Chairman, LookingGlass Cyber Solutions
"One of the things we think could be stronger is a threat intelligence and information sharing collaboration environment that spans the DoD, IC, and DHS. We see a coordinated response right now, and that’s great. But a consistent, persistent collaboration will help us be more prepared and share critical intelligence on a consistent basis – so when we do have another breach like this, that intel sharing is a muscle we’ve been exercising all along."
"More than just sharing of indicators of compromise, this collaborative environment should enable and support sharing of threat actor profiles and actor modeling, adds Louie. "This adversary-focused intelligence can really help our cyber teams mitigate and prevent malicious activity by understanding the risk and prioritizing threat hunt and investigations."
Read also Cyber Lessons the Year of COVID with FireEye CEO Kevin Mandia
