For all its breadth, depth, and skillful insertion via the supply chain, the latest hack of critical departments of the U.S. government—and of many leading corporations from around the world — should come as no surprise. Twenty-two years ago, as American forces were readying to strike Iraq for violations of an agreed-upon U.N. weapons inspection regime, deep intrusions into sensitive military information systems were detected. Enough material was accessed that, if printed out, would have made a stack over 500 feet tall. The investigation into this hack, code-named "Solar Sunrise," unearthed a group of teenagers, two in Northern California, one in Canada, and a young Israeli computer wizard, Ehud Tenenbaum.
The youth of the miscreants, and their lack of connection to a hostile power, led to a somewhat dismissive attitude toward this sort of cyber threat. The absence of a sense of urgency about the problem was noted in a study of the matter undertaken by the National Academy of Sciences the following year, 1999, at a time when yet another very grave series of intrusions into American defense information systems—this time seemingly by Russians—was occurring. The effort to detect, track, and then deter further hacks was code-named "Moonlight Maze," an investigation that revealed the intrusions had been ongoing or at least three years before having been spotted.
It also took about three years to catch on to an apparent Chinese effort that had been cyber-snooping in sensitive American national security systems as well. That was back in 2003, when the "Titan Rain" forensic investigation got under way in earnest. Ever since, the Chinese efforts, led it is thought by their elite Unit 61398, have focused more on industrial and commercial intellectual property theft rather than on specifically military matters, to the tune of what is thought to be hundreds of billions of dollars worth of cutting-edge information.
The SolarWinds affair is simply another incident in a long pattern of intrusions. Yes, the angle of inserting malware in software specifically designed to enhance security is a creative touch. But we in the defense world have long been aware of this means of insertion. Indeed, I had graduate students at the military school where I teach working on exactly this sort of problem many years ago. And the Stuxnet hack of the Iranian nuclear program a decade ago operated through the supply chain as well.
Why, then, this worst-ever hack? The National Academy study from 1999 put the matter well when it focused on an organizational culture, especially in the military, that tended to downplay thinking and planning for defense. To this I would add that, when conceiving of defense, too much reliance is placed on firewalls and anti-viral software designed to keep intruders out. These are Maginot Lines. Instead, the right approach is to "imagine no lines," to think in terms of aggressors who will always find a way in. By cultivating a mindset emphasizing this inevitability, those charged with protecting our cyberspace will find that innovative defensive practices will arise more readily.
For example, replacing the current faith in triple-belt firewalls with the ubiquitous use of very strong encryption will improve cyber defenses immeasurably. For it should be obvious by now that data at rest are data at risk. And beyond more and better use of encryption, sensitive data should also be kept moving. In the Cloud, even around in the Fog (populated by "edge devices" like routers and switches that provide entry into enterprise or provider networks). The combination of strong crypto and cloud and edge computing will frustrate even the best cyber spies.
What is to be done now? Aside from fundamentally shifting the emphasis away from "static" cyber defenses like fortified firewalls and anti-viral software that find it hard to detect the latest advances in malware, it is crucially important to take full advantage of the opportunity that the SolarWinds hack has provided to scour all information systems for any signs of delayed-action devices—designed not for spying, but rather for disrupting or distorting data flows in time of war. Military and business information systems should both get a clean bill of health; that is, test negative for signs of "cybotage," before shifting to a new security regime based on strong codes and regular movement of data.
Such a scrubbing makes for a tall order. But unless action is undertaken now, the risk will grow that the next SolarWinds-like event will come in a time of crisis or conflict, when lives are at stake and the price of complacency will be paid with the blood of soldiers frantically trying to access vital systems that no longer work.
John Arquilla is Distinguished Professor of Defense Analysis at the U.S. Naval Postgraduate School. From 2005-2010, he served as Director of the Department of Defense Information Operations Research Center. The views expressed are his alone.
No entries found