As lawmakers struggle to come to grips with the sheer magnitude of the Solar Winds hack “pretty clearly” executed by Russia, some have suggested the cyber intrusion amounts to an “act of war.” It’s not, multiple experts told us — and framing it as one could make it harder to solve the actual cybersecurity problem, which is as insidious as it is pervasive.
“The depth and scope of the intrusion is breathtaking,” former top congressional intelligence staffer Andy Keiser told us. “The scariest thing is the Russians could, and almost certainly will, lurk deep inside of our nation’s most sensitive networks, including those holding nuclear secrets, for months, if not years.”
“I doubt the real impact will ever be disclosed by the government, even if it could be known,” one cybersecurity expert told us on condition of anonymity. “In many cases, they will need to start over to secure these networks.”
Why is this hack so bad? Hackers believed to be working for the KGB’s successor agency, the SVR, slipped malware into a regular update to SolarWinds’ widely used cybersecurity software. That gave them backdoors into every network using those SolarWinds tools, from private companies to the Pentagon to the builder and maintainer of nuclear weapons.
Now, SolarWinds wasn’t used on networks carrying classified data, only on unclassified ones. Indeed, the Energy Department on Friday clarified earlier reports to stress that the hackers only accessed “business networks” and “has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA).” One insider confirmed that the nuclear weapons networks are separate from those “front facing” business operations networks, saying there is no need for anyone to “have their hair on fire.”
Nonetheless, highly skilled hackers can sometimes turn a foothold on one network into a jumping-off point to penetrate another — even if the two networks are physically separated by what’s known as an “air gap.”
“Don’t let anyone fool you,” said Terry Dunlap, a former NSA hacker who’s now Chief Security Officer at ReFirm Labs. “Classified data on a ‘different’ system can still be accessed, for example by air-gap jumping techniques.”
“Once embedded in unclassified networks,” Keiser agreed, “Advanced Persistent Threat actors could potentially move into more sensitive networks, or gain access credentials to classified networks, particularly when given months or years.”
Arguably the most notorious example here is the Stuxnet virus — attributed to the US and Israel — which slipped from the Internet into the air-gapped network used by the Iranian nuclear program. (Of course, Stuxnet was developed to compromise industrial SCADA systems, not for standard Windows-based systems.) Once inside, Stuxnet sabotaged the software on centrifuges used to enrich uranium and caused many to spin themselves to the point of breakdown.
But here’s a huge distinction between Stuxnet and SolarWinds — at least, so far. The SolarWinds hack doesn’t seem to have done any actual damage to either physical hardware or network functions. While the dividing line between acts of espionage and acts of war is increasingly blurry and much debated in the cyber age, collecting information without doing damage is hard to describe as “war.”
King’s College London scholar Thomas Rid argues that ‘cyberwar’ has not happened and never will.
This (Doesn’t) Mean War
“Espionage is not an act of war. Had they weaponized the attack — or if they attempt to later — that could be,” Keiser said. “To me, if you direct systems to create physical destruction or disrupt critical infrastructure, like an electric grid, using a cyber attack, that could be an act of war.”
What counts as an “act of war” in cyberspace has been a hotly debated topic for years and it’s still painfully murky.
“Hacking like this — especially to this extent — might go beyond espionage, but we don’t really have anything to say it’s unlawful under international law,” said Australian-based legal expert Cassandra Steer. “And let’s be clear, the US has engaged in similar activity, just never to this extent” — again, consider Stuxnet.
“The problem in the world of cyber is that we are not dealing with armed attacks or armed force, but infringements of systems in a non-physical world,” Steer told us. While there’s no international consensus, she said, “the Tallinn Manual on Cyber Warfare asked the question, what might amount to an unlawful ‘use of force’ in a cyber attack. …The conclusion was that if there are tangible effects in the physical world which amount to the same impact as an armed use of force would have, or the ‘scale and effect’ that a physical armed attack would have, then we can consider this to be the same and the relevant international law to apply.
“As horrific as the ongoing impacts of SolarWinds are, I do not think they have reached this threshold,” Steer said.
What if you don’t trust lawyers to tell you what war is? Well, you can consult your Clausewitz, the famous — and famously cynical — Prussian theorist of armed conflict. He wouldn’t consider this “war” either, said Tom Mahnken, a veteran of long service in the Navy and civilian Pentagon posts who now heads the Center for Strategic & Budgetary Assessments.
Carl von Clausewitz
Clausewitz defined war as “an act of force to compel our enemy to do our will,” Mahnken noted. “What remains essential to war is that it is meant to compel an adversary – to achieve political objectives. That’s not what this hack is about: It is a classic intelligence-gathering operation.”
Or you could take a bluntly pragmatic approach. When lawmakers like Sen. Dick Durbin call the SolarWinds hack “virtually a declaration of war,” Mahnken said, “one could plausibly ask Senator Durbin whether he believes Congress should declare war on Russia over this ‘act of war’.
“I suspect not,” Mahnken said tartly. “That says a lot about the difference between a real act of war, which would involve the loss of — potentially many — lives and great damage to US interests, and what we are experiencing here.”
Now, even if the SolarWinds hack was not an act of war, that doesn’t mean the US cannot or should not retaliate against Russia, say some experts.
“There are tools that the United States government and Cyber Command have at their disposal that have not yet been activated. That time is now,” Keiser told us. “Carefully and methodically unleash the hounds on offense — and batten down the hatches on defense.”
Other experts, however, said a response in kind from Cyber Command may not be warranted, or wise. Several sources cautioned that a hack back could be counterproductive — escalating the situation toward actual military conflict. Given that the intrusion, up to now anyway, hasn’t crossed from espionage into any kind of damaging action, several sources said the best response may be a diplomatic one. “What do we do when we find a nest of spies?,” one source asked rhetorically.
The Best Defense?
How do we defend against another hack of this scale? That’s probably the hardest question of all.
“Deterrence seems unlikely,” the anonymous cyber expert told us. “The targets are just too good for espionage, and attribution is hard. We have to build better systems and processes, which is hard, takes real dollars and is hard to test: If the other side beats you, they don’t advertise.”
“There are some really, really smart people working on cyber in the US government right now. I know several of them,” said Charles Harry, an NSA veteran now with the University of Maryland. “It’s not that they didn’t know this could be a potential attack vector.
“The cleverness of the attack [was that] they hid in the noise,” Harry told us. “The Russians basically blended into the environment. There’s a baked-in structural vulnerability.”
Cybersecurity companies like SolarWinds keep getting hacked because their software, in order to do its job, has to have high-level access to their clients’ networks. So instead of hacking one target at a time, he said, you get “economies of scale” by hacking the cybersecurity vendor, which gets you into all of its clients.
“There absolutely are ways to fix this,” Harry said. “First and foremost…this is not purely a technical problem.” It’s about large, complicated organizations that don’t fully understand how their relationships with outside vendors make them vulnerable.
“One thing is clear,” said Matt Wyckhouse, founder and CEO of cybersecurity firm Finite State. “Despite the years of investments into layered cyber defenses, expert personnel, and new technologies, malicious actors were able to gain access to the most sensitive networks in the world by adding a simple, easy-to-spot backdoor into software used and trusted by all of these organizations. Why was this so effective? Because nobody bothered to look into the contents of the software update.”
The solution isn’t to pull the plug. The Pentagon sees greater connectivity, not less, as essential to everything from digital weapons design to All-Domain Operations in combat. Senior officials like Air Force acquisition chief Will Roper even talk about creating a military “Internet of Things,” despite the tremendous security vulnerabilities in the civilian version.
For example, Roper explained, as the Air Force stands up new “digital factories” to design weapons using computerized design tools such as computerized 3-D models known as ‘digital twins,’ the attack surface potentially accessible to adversaries grows. “This creates a new kind of target,” Roper acknowledged to reporters recently. “They become crown jewels and they’ll have to be protected as such.
“So we are pulling all the stops, and having red teams and cyber experts try to break our system to ensure that it is as tough as it can be,” he said. “But the other thing [is] zero trust technologies and doing continuous monitoring. We don’t do that in the Defense Department,” he admitted. “We certify things are impregnable.”
But in the modern era, what’s impregnable today may be exquisitely vulnerable tomorrow. That’s why you need to keep checking all the time — continuous monitoring — and have a multi-layered defense that assumes the enemy is going to get in — what is known as a ‘zero trust’ strategy.
Traveling around Europe as a student, Roper recalled, he saw plenty of ruined castles. Their history, he said, proves that a single wall is never enough. In those castles Roper saw, the art of fortification included multiple lines of defense with multiple fallback positions, mottes and baileys, curtain walls and inner keeps. “Just having a single perimeter that your adversary is never going to get through — if that’s your plan, there’s a burned castle in your future,” he said. (Sydney J. Freedberg Jr. and Theresa Hitchens).