Pages

21 December 2020

The suspected Russian hack of the US government, explained

by Zachary B. Wolf

(CNN)Let's take a quick break from the pandemic and the presidential election and focus on two really important things regarding Russia:

1. Agents ID'd before poisoning -- CNN and the internet research journalists at Bellingcat have identified the team of Russian chemical experts who trailed opposition figure and Vladimir Putin nemesis Alexey Navalny to 17 countries before he was poisoned in Russia.

The identified Russians were dogged in their pursuit of Navalny, who CNN interviewed as he convalesces in Germany. But they also made some rookie spycraft mistakes, like barely changing their names or birth dates on travel documents. This kind of independent internet sleuthing is essential to unmask wrongdoing. It reminds me of the efforts undertaken to tie Saudi government agents to the killing of Jamal Kashoggi. It's sometimes harder for countries to hide their misdeeds than others.

2. US government hacked, Russia suspected -- We've long known about Russian efforts to compromise the US government and infiltrate the 2020 US electoral process. While there's no evidence to suggest Russia was successful in its efforts to target US election systems, it's now suspected of hacking multiple US government agencies -- from the Department of Homeland Security to the Department of Commerce -- by accessing SolarWinds, a third-party security vendor. It's also possible the Treasury Department and the US Postal Service were hacked.

What Matters went to Zachary Cohen, who covers national security for CNN and has been covering the breach, to understand a bit better what exactly happened and how big a deal it is.


WHAT MATTERS: These are alarming headlines about a hack of multiple US government agencies. What do we know about who was compromised and how do we know they are connected?

COHEN: The investigation is still in its early stages but we already know of at least four US government agencies that were compromised, including the cyber arm of DHS, which is tasked with helping to protect the nation from breaches like this. CNN has confirmed that the Departments of Agriculture, Commerce and Treasury were also compromised.

Sources have told CNN that USPS may have been hit but that investigation is still ongoing. The Department of Defense is also in the process of looking at whether any of its networks were targeted or hit.

We already know this is a serious breach

Cohen: Even at this early stage, though, it is already clear that this was one of the most serious breaches of the US government in years and there is increasing confidence among officials that it was carried out by the same Russian-linked hackers who were behind the recent incident involving the elite cybersecurity firm FireEye.

That link is very concerning for US officials who are working to determine the exact scope and scale of the attack on government agencies. The sophistication and tactics used in the hacking of US government agencies are similar to what was seen in the FireEye attack -- that is the primary indicator the two incidents are connected.

SolarWinds said in a statement Sunday night that the breach of its system "was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack."

What we know about SolarWinds

WHAT MATTERS? What is SolarWinds and why does the government outsource this kind of security?

COHEN: SolarWinds is a technology company whose products are used by a number of federal civilian agencies for network management. The US government often contracts with private companies like this because their expertise and product development is far beyond what the government can develop on its own. Some members of Congress have consistently criticized the potential security risks of using this kind of software, particularly without a thorough security review first. But protecting these networks is also the responsibility of the government and we are already seeing lawmakers, like Sen. Ron Wyden, a Democrat from Oregon, say there needs to be an in-depth review of software security practices.

This will be a challenge for the incoming Biden administration as well. Foreign adversaries are consistently attempting to infiltrate US networks and are only becoming more sophisticated in their ability to successfully do so.

Why is Russia suspected?

WHAT MATTERS: Your reporting says the government suspects Russia but has not yet made a conclusion it is Russia. How will they make that determination?

COHEN: Formal attribution of an attack like this takes time and the government does not always announce its findings even when the perpetrator has been identified. But there are only a handful of nation-state actors who have the ability to carry out a hack with this level of sophistication and Russia has a well-documented history in this area.

US officials and cybersecurity experts have identified specific indicators in how the software's vulnerabilities were exploited that point to the Russian-linked group APT29. This group is well-known by those who monitor foreign cyber activity and there are similarities between this attack and previous incidents that APT29 was involved in.

Why is a hack like this dangerous?

WHAT MATTERS: What's the danger in this type of hack? What kind of information is at risk and why would Russia want into US systems?

COHEN: It is difficult to say at this point just how dangerous a hack like this could be, and details continue to emerge about the kind of information that may be at risk. That said, the fact that we already know DHS was compromised is certainly concerning, especially considering the fact that its cyber arm was specifically breached. There are also concerns that Department of Defense networks may have been hit, but that investigation is still ongoing.

The Russians were believed to be behind a previous cyberattack on Department of Defense networks, which led to a complete overhaul of the security protocols that were in place.

While there are still a lot of unanswered questions about what exactly the hackers were after, Wyden has already called the incident "a massive national security failure that could have ramifications for years to come."

The Cybersecurity and Infrastructure Security Agency, the DHS agency in question, helped lead the government's election security efforts and was essential in protecting that process from foreign interference.

But it appears that Russian-linked actors managed to breach CISA's network while it was focused on the election, and the agency will certainly face some criticism for that. The news also comes after top CISA officials, including Chris Krebs, were fired by President Donald Trump for saying publicly that the 2020 election was the most secure in history, and that leadership overhaul will likely only complicate efforts to address the recent breach.

How will the US respond? Will the government retaliate?

WHAT MATTERS: We haven't heard much from the federal government about a response, but you report about Presidential Directive 41, which sounds like something out of a spy movie. What do we know about how the US government could respond? Will there be retaliation?

COHEN: As you mentioned, the government has put into effect Presidential Policy Directive 41, which is an Obama-era plan for executing a federal government response to any cyber incident, whether involving government or private-sector entities.

For significant cyber incidents, the directive also establishes a plan for coordinating a response between the agencies, and it requires the Departments of Justice and Homeland Security to assist entities affected by cyber incidents.

More simply put, it is all hands on deck right now as agencies across the government are working to investigate the hack and determine next steps. As far as possible retaliation, that remains to be seen and largely hinges on what information may have been stolen and how it could be used against the US.

But even though it is already clear this breach was massive, officials have told CNN that it is consistent with what they've come to expect from foreign governments. The US is also constantly scanning foreign networks, so there is a consistent level of activity that is happening on a day-to-day basis in this space.

While there will likely be calls for some sort of response, particularly if the government formally determines Russia was involved, no one wants a full-on cyber war and are aware that a tit-for-tat response can escalate quickly. As such, any response directed at those behind the attack will be carefully considered before action is taken.

For now, response efforts are focused on mitigating the impact of the breach.

Calls for a global treaty on cyberwarfare

WHAT MATTERS: All this hacking and counterhacking is wild. Do security professionals view this as a sort of hot cyberwar going on? How should Americans see this?

COHEN: The rules of cyberspace have continuously evolved over the last few years and the US government has been forced to adapt accordingly, though some experts and lawmakers believe it has not done so quickly enough. The reality is that the US is constantly working to counter foreign cyber threats and recently adopted a "defend forward" posture that involves proactively working to understand the tactics used by these actors and how they might seek to exploit vulnerabilities in our networks.

Agencies like US Cyber Command have also been given broad authorities to respond to specific threats without having to get approval first from the White House, so that gives you a sense of just how persistent the issue is.

That said, countries like Russia have little to gain from instigating a full-scale cyber war against the US because of the offensive capabilities at its disposal. So as a result, there is a lot of posturing by the US as it warns adversaries not to cross the line. But going forward, the Biden administration will have to decide how it wants to manage this ever-changing environment, and some officials warn we are heading toward a "zero trust" mentality where it is assumed that everything is compromised.

And my colleague Brian Fung reports today about calls for a sort of a global treaty on cyberwarfare. He quotes Microsoft President Brad Smith: "We need a set of binding rules. And we need a commitment by the democracies of the world to hold authoritarian regimes accountable, so they keep their hands off of civilians in this time of peace when it comes to cyberspace."

The 'urban myth' behind GOP voter fraud claims

CNN senior political analyst Ronald Brownstein looks at the specific claims about voter fraud in Republican election lawsuits, such as they exist, and finds them very similar to Republican griping about cities and the way the country is changing.

The common thread: Unsupported claim that the election was being stolen through massive voter fraud in large cities with substantial populations of African Americans and other minorities.

The deeper GOP fear: ... that they are losing control of the country to a racially and religiously diverse Democratic coalition based primarily in the nation's largest cities.

Bottom line: Trump's connection of his near-term fraud claims with his familiar warnings that long-term demographic and cultural change threatens his supporters helps explain why such a staggeringly large percentage of Republican voters -- up to about three-fourths in some recent surveys -- have accepted his new "urban myth" that the election was stolen, even though state and federal courts across the country have uniformly dismissed the President's unsupported "evidence."

Brownstein also outlines a coming wave of efforts in states controlled by Republicans to make it more difficult to vote in cities and he predicts the entire principle of democracy will be less important than results.

Whatever it takes: A Republican Party defining itself as the last line of defense between genuine American traditions and Democrats who would transform the country into something dangerously different is a party for which adherence to the rules of "small d" democracy may be a luxury, not a necessity. If the stakes in each election are really that apocalyptic, the GOP may be increasingly drawn to using any means necessary to hold off an urban-based, diverse Democratic coalition that many Republicans have convinced themselves is stealing elections to advance its larger project of stealing what Trump calls "our country."

No comments:

Post a Comment