21 February 2021

SolarWinds attack underlines importance of US cyber-security upgrades


The unprecedented scale of the SolarWinds attack was a powerful illustration of how the cyber threat environment is intensifying, explains Greg Austin. Is the United States doing enough to equip itself to thwart state-level and criminal attacks?

Testimony by leading specialists to the US Congress on 10 February makes clear that the country’s cyber defence and deterrence strategies are not effective against foreign cyber attacks. Criminal activities also pose a significant threat to national cyber defences, with the hearings held just days after news broke of an attempt by cyber sabotage to contaminate a city’s water supply chemically and potentially poison its inhabitants. This testimony was made as part of the first Homeland Security Committee hearings since the spectacular Russian espionage success involving software from US company SolarWinds that came to light in December 2020, and since President Joe Biden’s inauguration.

The four specialists, who included Christopher Krebs, the former founding head of the Cybersecurity and Infrastructure Security Agency (CISA), were all upbeat about the prospects for successful and effective upgrades to national cyber security. They gave credible recommendations for improvement. On the other hand, their statements indicate there is a long way to go and that the room for optimism is much narrower than suggested, given what several of them painted as a seriously intensifying cyber threat environment.

On the same day, the White House announced plans for an inquiry into the SolarWinds attack. In this attack, which may still be in play, a Russian intelligence agency successfully exploited weaknesses in the software made by SolarWinds to penetrate the outer defences of more than 200 agencies and corporations to achieve what some have called the most serious cyber attack anywhere, ever.

US cyber defence today

In May 2017, four months after taking office, the Trump administration set out an urgent agenda for cyber-security reform. It covered most bases: critical infrastructure; elimination of older insecure systems; supply-chain transparency; the industrial base; workforce; diplomacy; and military cyber power.

New institutions, such as CISA, emerged, and other units in key agencies were elevated in importance and received higher levels of funding. The National Cyber Strategy of 2018 announced the Cyber Deterrence Initiative, which promised to impose costs on nations engaged in sustained malicious cyber attacks on the United States. The administration was doing many things well, including the delivery of what the CISA described as the ‘most secure [election] in American history’.

Yet the offensives by other governments keep succeeding, as evidenced by the SolarWinds attack, and so do criminal ventures. Russia and China are not deterred from engaging in massive cyber espionage against the United States, at least not yet. One reason is simply that espionage is what great powers do, and they will use all available means to do it as effectively as they can.

Another reason is that cyber defence, even for the most powerful country on earth, is a massively difficult undertaking. Most of the US federal government, comprising over 100 agencies and thousands of unique cyber systems, is not well placed for cyber defence. Krebs, who left office only in November, said as much in his testimony.

No one in cyber-security policy believes in watertight defence. They plan instead to reduce the likelihood of successful attacks, and minimise their impact. It is a good approach because it prioritises protecting the country’s most valuable secrets, the ‘crown jewels’, while ceding a certain amount of lower-value cyber terrain to inevitable raids and inevitable failures, such as the SolarWinds breach.

Recommendations for the future

Taken together, the testimonies of the four witnesses – recognised national leaders in the field – are calling for radical improvements to the way decision-makers address cyber security.

Krebs called for a bolder vision from the federal government and much more investment. He advocated for an expansion of the CISA’s powers and much better coordination between government and the corporate sector. He described the ransomware threat as a ‘national emergency’, which should be met with aggressive action, referring to the generally weak state of cyber law enforcement in the United States. He raised the possibility of legal measures to prevent the payment of ransoms, as well as serious legal actions and other retaliatory measures against ransomware gangs.

In her short written statement, Susan Gordon, a former senior official for national security, made a plea for more transparency about cyber attacks and cyber crime, especially through intelligence sharing. She warned that solutions cannot be purely technical, an allusion to the growing calls for greater study of the social aspects of cyber security and socially oriented cyber defences.

Michael Daniel, president and CEO of the Cyber Threat Alliance, also made a strong call for more attention to the social dimensions of cyber security: economic; psychological; organisational; process; policy; and legal. He warned that a mindset of seeing cyberspace as an amorphous global commons like the oceans or the atmosphere detracted from a necessary focus on the hard, physical territorial aspect of cyber activity. He called for the clearer articulation of cyber security as a means of preventing an adversary from achieving its overarching goals, thereby shifting the focus to thwarting such efforts and accepting that not every cyber intrusion will be defeated.

The written statement of Dmitri Alperovitch, executive chairman of the newly established Silverado Policy Accelerator, had several business-oriented recommendations. He called for increased powers for the CISA, with the aim that it expand to become the Chief Information Security Officer for the entire federal government. He also supported the need for more transparency by advocating a national breach-notification law and for more robust action to defeat the business model of ransomware.

In terms of a strategic-level approach to malicious actions by states in cyberspace, Alperovitch’s statement came closest to an overarching policy approach. His remarks in this direction echoed notes struck by other witnesses. He suggested that cyber security could only be optimised through more effective geopolitical responses towards the malicious actions of the four greatest adversaries of the United States in cyberspace – Russia, China, Iran and North Korea. It is more than likely that this sentiment will be a guiding principle of the Biden administration’s cyber policy and broader bilateral diplomacy with these four countries.

No comments: