The US has suffered a massive cyberbreach. It’s hard to overstate how bad it is – The Guardian
Recent news articles have all been talking about the massive Russian cyber-attack against the United States, but thats wrong on two accounts. It wasnt a cyber-attack in international relations terms, it was espionage. And the victim wasnt just the US, it was the entire world. But it was massive, and it is dangerous.
Espionage is internationally allowed in peacetime. The problem is that both espionage and cyber-attacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isnt at all targeted, the entire world is at risk and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.
Heres what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR previously known as the KGB hacked into SolarWinds and slipped a backdoor into an Orion software update. (We dont know how, but last year the companys update server was protected by the password solarwinds123 something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.
This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself and can affect all of a suppliers customers. Its an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.
SolarWinds has removed its customers list from its website, but the Internet Archive saved it: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds said that it believes fewer than 18,000 of those customers installed this malicious update, another way of saying that more than 17,000 did.
Thats a lot of vulnerable networks, and its inconceivable that the SVR penetrated them all. Instead, it chose carefully from its cornucopia of targets. Microsofts analysis identified 40 customers who were infiltrated using this vulnerability. The great majority of those were in the US, but networks in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted. This list includes governments, government contractors, IT companies, thinktanks, and NGOs and it will certainly grow.
Once inside a network, SVR hackers followed a standard playbook: establish persistent access that will remain even if the initial vulnerability is fixed; move laterally around the network by compromising additional systems and accounts; and then exfiltrate data. Not being a SolarWinds customer is no guarantee of security; this SVR operation used other initial infection vectors and techniques as well. These are sophisticated and patient hackers, and were only just learning some of the techniques involved here.
Recovering from this attack isnt easy. Because any SVR hackers would establish persistent access, the only way to ensure that your network isnt compromised is to burn it to the ground and rebuild it, similar to reinstalling your computers operating system to recover from a bad hack. This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they cant be sure. There are many ways to establish persistent access that survive rebuilding individual computers and networks. We know, for example, of an NSA exploit that remains on a hard drive even after it is reformatted. Code for that exploit was part of the Equation Group tools that the Shadow Brokers again believed to be Russia stole from the NSA and published in 2016. The SVR probably has the same kinds of tools.
Even without that caveat, many network administrators wont go through the long, painful, and potentially expensive rebuilding process. Theyll just hope for the best.
Its hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more. At this point, theres no indication that any classified networks were penetrated, although that could change easily. It will take years to learn which networks the SVR has penetrated, and where it still has access. Much of that will probably be classified, which means that we, the public, will never know.
And now that the Orion vulnerability is public, other governments and cybercriminals will use it to penetrate vulnerable networks. I can guarantee you that the NSA is using the SVRs hack to infiltrate other networks; why would they not? (Do any Russian organizations use Orion? Probably.)
While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, virtually a declaration of war by Russia on the United States While President-elect Biden said he will make this a top priority, its unlikely that he will do much to retaliate.
The reason is that, by international norms, Russia did nothing wrong. This is the normal state of affairs. Countries spy on each other all the time. There are no rules or even norms, and its basically buyer beware. The US regularly fails to retaliate against espionage operations such as Chinas hack of the Office of Personal Management (OPM) and previous Russian hacks because we do it, too. Speaking of the OPM hack, the then director of national intelligence, James Clapper, said: You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I dont think wed hesitate for a minute.
We dont, and Im sure NSA employees are grudgingly impressed with the SVR. The US has by far the most extensive and aggressive intelligence operation in the world. The NSAs budget is the largest of any intelligence agency. It aggressively leverages the USs position controlling most of the internet backbone and most of the major internet companies. Edward Snowden disclosed many targets of its efforts around 2014, which then included 193 countries, the World Bank, the IMF and the International Atomic Energy Agency. We are undoubtedly running an offensive operation on the scale of this SVR operation right now, and itll probably never be made public. In 2016, President Obama boasted that we have more capacity than anybody both offensively and defensively.
He may have been too optimistic about our defensive capability. The US prioritizes and spends many times more on offense than on defensive cybersecurity. In recent years, the NSA has adopted a strategy of persistent engagement, sometimes called defending forward. The idea is that instead of passively waiting for the enemy to attack our networks and infrastructure, we go on the offensive and disrupt attacks before they get to us. This strategy was credited with foiling a plot by the Russian Internet Research Agency to disrupt the 2018 elections.
But if persistent engagement is so effective, how could it have missed this massive SVR operation? It seems that pretty much the entire US government was unknowingly sending information back to Moscow. If we had been watching everything the Russians were doing, we would have seen some evidence of this. The Russians success under the watchful eye of the NSA and US Cyber Command shows that this is a failed approach.
And how did US defensive capability miss this? The only reason we know about this breach is because, earlier this month, the security company FireEye discovered that it had been hacked. During its own audit of its network, it uncovered the Orion vulnerability and alerted the US government. Why dont organizations like the departments of state, treasury and homeland security regularly conduct that level of audit on their own systems? The governments intrusion detection system, Einstein 3, failed here because it doesnt detect new sophisticated attacks a deficiency pointed out in 2018 but never fixed. We shouldnt have to rely on a private cybersecurity company to alert us of a major nation-state attack.
If anything, the USs prioritization of offense over defense makes us less safe. In the interests of surveillance, the NSA has pushed for an insecure cellphone encryption standard and a backdoor in random number generators (important for secure encryption). The DoJ has never relented in its insistence that the worlds popular encryption systems be made insecure through back doors another hot point where attack and defense are in conflict. In other words, we allow for insecure standards and systems, because we can use them to spy on others.
We need to adopt a defense-dominant strategy. As computers and the internet become increasingly essential to society, cyber-attacks are likely to be the precursor to actual war. We are simply too vulnerable when we prioritize offense, even if we have to give up the advantage of using those insecurities to spy on others.
Our vulnerability is magnified as eavesdropping may bleed into a direct attack. The SVRs access allows them not only to eavesdrop, but also to modify data, degrade network performance, or erase entire networks. The first might be normal spying, but the second certainly could be considered an act of war. Russia is almost certainly laying the groundwork for future attack.
This preparation would not be unprecedented. Theres a lot of attack going on in the world. In 2010, the US and Israel attacked the Iranian nuclear program. In 2012, Iran attacked the Saudi national oil company. North Korea attacked Sony in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is hacking the US power grid, and the US is hacking Russias power grid just in case the capability is needed someday. All of these attacks began as a spying operation. Security vulnerabilities have real-world consequences.
Were not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the worlds supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically criticizing the Russians for doing the same thing we do every day wont help create the safer world in which we all want to live.
Visit link:
The US has suffered a massive cyberbreach. It's hard to overstate how bad it is - The Guardian
- CISA, NSA, and Partners Issue Annual Report on Top Exploited Vulnerabilities - HSToday - December 5th, 2024 [December 5th, 2024]
- Where Will The Top Amateurs at NSA Yamaha Land After the Team Closes? - Vurbmoto - December 5th, 2024 [December 5th, 2024]
- CISA, NSA, FBI and International Partners Publish Guide for Protecting Communications Infrastructure - HSToday - December 5th, 2024 [December 5th, 2024]
- Main players backing Syrian government have been weakened by other conflicts, NSA Sullivan says - NBC News - December 5th, 2024 [December 5th, 2024]
- Trump's incoming NSA Mike Waltz wants US to dance cheek-to-check with India - The Times of India - November 14th, 2024 [November 14th, 2024]
- What Trump's NSA Nominee Said On India's Pivotal Role In The 21st Century - NDTV - November 14th, 2024 [November 14th, 2024]
- Exclusive: Nakasone on exploding pagers, life after the NSA and another possible government job - The Record from Recorded Future News - November 14th, 2024 [November 14th, 2024]
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 - BleepingComputer - November 14th, 2024 [November 14th, 2024]
- CISA, NSA, and Partners Issue Annual Report on Top Exploited Vulnerabilities - National Security Agency - November 14th, 2024 [November 14th, 2024]
- 6 Principles of Operational Technology Cybersecurity released by joint NSA initiative - Security Intelligence - November 14th, 2024 [November 14th, 2024]
- It's official FBI, CISA, and NSA reveal the most exploited vulnerabilities of 2023 - TechRadar - November 14th, 2024 [November 14th, 2024]
- Donald Trump picks Mike Waltz as US NSA: What it means for China and India - The Times of India - November 14th, 2024 [November 14th, 2024]
- Who is Mike Waltz, Donald Trump's new NSA pick? What are his ties to India Caucus? - Firstpost - November 14th, 2024 [November 14th, 2024]
- NSA should not oversee the management of national facilities RexDanquah - Citi Sports Online - November 14th, 2024 [November 14th, 2024]
- Trudeaus NSA admits to leaking secret intel alleging Indias interference to Washington Post - Firstpost - October 31st, 2024 [October 31st, 2024]
- White House dials NSA Ajit Doval: Here's what happened in the call - The Economic Times - October 31st, 2024 [October 31st, 2024]
- NSA Doval Stresses Need For Stable Indo-Pacific In Phone Call With US Counterpart Sullivan - News18 - October 31st, 2024 [October 31st, 2024]
- Director-General of NSA calls for continued support from government - GhanaWeb - October 21st, 2024 [October 21st, 2024]
- 5G Non Standalone Nsa Architecture Market to Reach USD 240.0 - openPR - October 21st, 2024 [October 21st, 2024]
- NSA meets with Minister Muir and DAERA to discuss industry concerns - Meat Management - October 21st, 2024 [October 21st, 2024]
- NSA cyber chief: Espionage is now Russias focus for cyberattacks on Ukraine - The Record from Recorded Future News - October 11th, 2024 [October 11th, 2024]
- NSA Investigating If Chinese Hackers Breached US Telecoms - Yahoo Finance - October 11th, 2024 [October 11th, 2024]
- NSA Issues Updated Guidance on Russian SVR Cyber Operations - National Security Agency - October 11th, 2024 [October 11th, 2024]
- News - Honoring the Stars and Stripes: NSA Philadelphia Hosts Dignified Flag Disposal Ceremony - DVIDS - October 11th, 2024 [October 11th, 2024]
- NSA's Program for Nursing Mothers in the Workplace Considered a Model for USG - National Security Agency - October 11th, 2024 [October 11th, 2024]
- NSA investigating hack of three major telecommunications companies - Baltimore Sun - October 11th, 2024 [October 11th, 2024]
- Honoring the Stars and Stripes: NSA Philadelphia Hosts Dignified Flag Disposal Ceremony [Image 8 of 8] - DVIDS - October 11th, 2024 [October 11th, 2024]
- NSA Hiring Over a Thousand in the Next Year - ClearanceJobs - October 4th, 2024 [October 4th, 2024]
- What Its Really Like to Work at NSA - National Security Agency - October 4th, 2024 [October 4th, 2024]
- US Elections: Former NSA John Bolton Claims Both Harris And Trump Do Not Qualify To Be President | NewsX Exclusive - NewsX - October 4th, 2024 [October 4th, 2024]
- Honoring the fallen: Bells toll for Americas heroes at NSA Mechanicsburg - American Military News - October 4th, 2024 [October 4th, 2024]
- How often should you turn off your phone? Heres what the NSA says - PCWorld - October 4th, 2024 [October 4th, 2024]
- NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations - HSToday - September 28th, 2024 [September 28th, 2024]
- NSA warns that Active Directory is an "exceptionally large and difficult to defend" attack surface - The Stack - September 28th, 2024 [September 28th, 2024]
- News - Honoring the Fallen: Bells Toll for Americas Heroes at NSA Mechanicsburg - DVIDS - September 28th, 2024 [September 28th, 2024]
- National Storage Affiliates Trust (NYSE:NSA) Given Average Recommendation of "Reduce" by Brokerages - MarketBeat - September 28th, 2024 [September 28th, 2024]
- Lack of Standard Stadiums: NSA boss sacked, facilities closed - What has been said and done so far - GhanaWeb - September 21st, 2024 [September 21st, 2024]
- NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations - National Security Agency - September 21st, 2024 [September 21st, 2024]
- UTEP Establishes Collaboration with DoD, NSA to Help Enhance U.S. Semiconductor Workforce - The University of Texas at El Paso - September 21st, 2024 [September 21st, 2024]
- The NSA advises you to turn off your phone once a week - here's why - ZDNet - September 21st, 2024 [September 21st, 2024]
- NSA Publishes Cyber Advisory on China-Linked Threat Actors - Executive Gov - September 21st, 2024 [September 21st, 2024]
- Former NSA Director Nakasone opens new institute at Vanderbilt to train right type of leader - Washington Times - September 21st, 2024 [September 21st, 2024]
- ACR lauds legislation that would fine insurers for delayed NSA payments - AuntMinnie - September 16th, 2024 [September 16th, 2024]
- NSA threatens lawsuit over election rigging allegation, demands apology - Pulse Nigeria - September 16th, 2024 [September 16th, 2024]
- NSA explains its work with private sector on election security and fighting foreign cyber threats - Washington Times - September 16th, 2024 [September 16th, 2024]
- NSA to debut podcast to boost public awareness of classified missions - Nextgov/FCW - August 31st, 2024 [August 31st, 2024]
- In Beijing, Bidens NSA Calls Out Chinas Destablising Actions, Openly Supports Philippines - Hindustan Times - August 31st, 2024 [August 31st, 2024]
- Why the NSA advises you to turn off your phone once a week - ZDNet - August 31st, 2024 [August 31st, 2024]
- Getting into rhythm: NSA places high expectations on themselves for 2024 - Suffolk News-Herald - August 31st, 2024 [August 31st, 2024]
- NSA readying podcast to share untold stories of codebreakers missions - Washington Times - August 31st, 2024 [August 31st, 2024]
- Trump govt stopped aid to Pakistan over ISI's 'undeniable complicity' with terrorists: Ex-US NSA - Hindustan Times - August 31st, 2024 [August 31st, 2024]
- Top NSA researcher tapped to lead Pentagons UAP investigation hub - DefenseScoop - August 27th, 2024 [August 27th, 2024]
- NSA Releases Guide to Combat Living Off the Land Attacks - Infosecurity Magazine - August 27th, 2024 [August 27th, 2024]
- With a little help from the National Archives, NSA finally releases Grace Hopper lecture. Watch it here. - MuckRock - August 27th, 2024 [August 27th, 2024]
- Trump administration NSA H.R. McMaster says there was "inconsistency" in foreign policy - CBS News - August 25th, 2024 [August 25th, 2024]
- 'Putin exploited Trump's ego and insecurities': Former NSA in new book - The Times of India - August 25th, 2024 [August 25th, 2024]
- NSA calls for urgent Government action on illegal sheep imports - Meat Management - August 14th, 2024 [August 14th, 2024]
- Sheikh Hasina Resignation LIVE Updates: Ex Bangladesh PM Sheikh Hasina Meets NSA Ajit Doval At Hindon Airbase - NDTV - August 5th, 2024 [August 5th, 2024]
- NSA Claims It Cant Watch an Important Tape It Recorded in the 1980s - Gizmodo - July 17th, 2024 [July 17th, 2024]
- Letter to NSA Sullivan Requesting Assessment of Information Russia Has Shared with the PRC on U.S. Weapons Capabilities in Ukraine - Select Committee... - July 17th, 2024 [July 17th, 2024]
- The NSA Is Defeated By A 1950s Tape Recorder. Can You Help Them? - Hackaday - July 17th, 2024 [July 17th, 2024]
- Letter to NSA on Microsoft's Billion Dollar Partnership with UAE Firm G42 - Select Committee on the CCP | - July 17th, 2024 [July 17th, 2024]
- NSA Fast Pitch World Series kicks off with Skills Competition & Heavy Hitters Camp, featuring College World Series Champions from the University... - July 17th, 2024 [July 17th, 2024]
- NSA contractor bilked government for hundreds of hours she never worked - Washington Times - July 6th, 2024 [July 6th, 2024]
- Signals intelligence has become a cyber-activity - The Economist - July 6th, 2024 [July 6th, 2024]
- OpenAI adds former NSA chief to its board - CNBC - June 15th, 2024 [June 15th, 2024]
- Former head of NSA joins OpenAI board - The Verge - June 15th, 2024 [June 15th, 2024]
- Former NSA Head Joins OpenAI Board and Safety Committee - RetailWire - June 15th, 2024 [June 15th, 2024]
- Former NSA head joins OpenAI board and safety committee - TechCrunch - June 15th, 2024 [June 15th, 2024]
- OpenAI Appoints Cybersecurity Expert And Retired US Army Genera With NSA Pedigree To Board, Enhancing AI ... - Benzinga - June 15th, 2024 [June 15th, 2024]
- Former NSA head Paul Nakasone to helm national security institute at Vanderbilt - The Record from Recorded Future News - May 15th, 2024 [May 15th, 2024]
- US is still chasing down pieces of Chinese hacking operation, NSA official says - The Record from Recorded Future News - March 18th, 2024 [March 18th, 2024]
- 6 CISO Takeaways from the NSA's Zero-Trust Guidance - Dark Reading - March 18th, 2024 [March 18th, 2024]
- St. John's M.S. in Cyber and Information Security Earns Key NSA Validation - St John's University News - March 18th, 2024 [March 18th, 2024]
- Senate votes to confirm Lt. Gen. Timothy Haugh to lead CYBERCOM and NSA/CSS - United States Cyber Command - December 23rd, 2023 [December 23rd, 2023]
- NSA Highlights AI, Partnerships in 2023 Cyber Review - MeriTalk - December 23rd, 2023 [December 23rd, 2023]
- NSA Publishes 2023 Cybersecurity Year in Review - National Security Agency - December 23rd, 2023 [December 23rd, 2023]
- Senate votes to confirm Lt. Gen. Timothy Haugh to lead CYBERCOM and NSA/CSS - National Security Agency - December 23rd, 2023 [December 23rd, 2023]
- NSA Reiterates Achievements in AI & Defense Against Russia, China in 2023 Cybersecurity Review - Executive Gov - December 23rd, 2023 [December 23rd, 2023]
- NSA appoints new Cyber Command head | SC Media - SC Media - December 23rd, 2023 [December 23rd, 2023]