December 21, 2020

Sunday School 12/20/20: Extra Credit

Yesterday's Sunday School focused on the Biden folks who were out and about. For your Extra Credit today, we're going to focus on the massive hack which apparently kicked off months ago, and was only more recently discovered - or, at least, more recently disclosed. 

Sen. Mark Warner (D-VA) was in the classroom with George Stephanopoulos on This Week. Warner agreed with many others that "all indications point to Russia" as being the culprit in the hack, even though the president said it might be China. Warner also said "thank goodness" FireEye came forward, otherwise we might not have discovered the attack. (We'll hear from FireEye later in the post). And, Warner said, 

... I think this raises a whole host of questions of how did they get in, stay so long, how do we make sure our government agency, for example, CISA, that's supposed to oversee cybersecurity, there's not even a requirement that private companies or for that matter, even public agencies, have to affirmatively report that kind of attack or intrusion to CISA. We’re going to need to look at a whole new set of rules...

The attack may be ongoing, he's not sure - but "they got in and were in for a long time." Warner talked about being able to get into a "supply chain" and then move from one company to another and "ultimately get down to some of our most important innovation tools being discovered by our adversaries." And he said when the president tries to deflect or is not willing to call out our adversary, he is not making our country safer.

Warner said it appears that only non-classified networks were breached, and that we've got a lot of work to do - "literally weeks" to find out how extensive the attack was, and "potentially months" to remediate the damage. He also said we need better funding and better rules for this kind of thing.

I sometimes think we disproportionately spend on tanks, ships and guns when we should be better protecting on cyber. And I think not only America but, frankly, our FireEye partners, NATO, others, because there are international implications of this attack as well. 

We had the benefit of our 'mutually assured destruction' from the nuclear perspective, he said, but we don't have similar thinking around cyber. What happened falls somewhere between espionage and an attack, 

And I think the only way we're going to be able to counter it is not only better cyber hygiene, better protocols on how information must be shared if you are attacked, and then making very clear to our adversaries that if you take this kind of action, we and others will strike back.

Finally, George asked about our own hacking, our own espionage, but Warner answered a different, unasked, question. 

The level of indiscriminate attack launch, as Secretary of State Pompeo said, by potentially a Russian spy agency, this is as broad and as deep as anything we've ever seen. And the idea that that should go unanswered would be very bad American policy and, frankly, simply invite Russians or others to continue these kind of malicious activities.

Over in the State of the Union classroom, Jake Tapper's guest was Christopher Krebs, who led the US Cybersecurity Agency during the time of the hack. Tapper cited Trump's comments I linked above, and Krebs discounted the president's view.

Everything I have heard... it's Russia. I mean, they are - they're exceptionally good at this, particularly the foreign intelligence service, the SVR. They're good. They're quiet. They're deliberate. They're patient and they're careful.

Krebs said we're "just getting our arms around" the scope, and while there's been a lot of talk about SolarWinds, an IT company that provides software services to many companies that were hacked, he thinks it's probably bigger than just them. He suspects there are more companies compromised, and

in fact, my old agency issued a report to that effect just the other day, that we are looking for other ones. And supply chain compromises are particularly hard to defend against.

Tapper asked why didn't anyone catch the hack sooner. Krebs said first, the Russians are very talented; second, a supply chain attack is very hard to defend against; and third, we've got "a lot of old antiquated, legacy IT systems that are hard to defend" in our 101 federal civilian agencies.  But there's more. The National Defense Authorization Act (which the president has threatened to veto)

... would give CISA, my old agency, the authorities to go out and really aggressively hunt and look for these adversaries. And that's what we're going to have to do to get certainty and to the other side of this, is really deep-diving into these agencies' systems, looking for the Russians, and going hand to hand combat almost with them and get them out of those systems.

He agreed that "yes, it happened on my watch at CISA. And we missed it." The key now is doing the work to make sure we get them out of our networks, and "that it never happens again." That's going to take Congressional support, resources, and the authority to do what we need to do. 

Krebs says the Russians are more interested in intelligence, in policy stuff, diplomatic stuff, negotiations and so on, rather than in "destructive types of attacks." That said, we need to be "very careful with escalating this," in making any kind of retaliatory attack of our own. We need to talk with "like-minded countries" about what's an acceptable response. 


Final question? What does he think about Trump meeting with Rudy Giuliani, Michael Flynn,  Sidney Powell "talking about martial law to overturn the election, making Sidney Powell a special counsel, et cetera?"

I think I have said it a couple times this week in a Senate hearing on Wednesday, but this is not the America that I recognize. And this is just beyond the pale.

And, from the Face the Nation classroom, we've got Margaret Brennan's discussion with Kevin Mandia, the CEO of FireEye, "a cybersecurity company that protects clients against malicious software and investigates hacks."  That's the company Sen. Warner mentioned in his comments, which discovered the breach.

Mandia said this was different from the over a thousand breeches his company responds to a year. He described it vividly, saying

This was not a drive-by shooting on the information highway. This was a sniper round from somebody a mile away from your house. This was special operations. And it was going to take special operations to detect this breach. 

He also said he thinks these are the same folks who were messing around in the 90s and early 2000s, not a "one and done" threat, and said that it's a "continuing game in cyberspace." As to when it began, suggesting it was

In October of 2019 when code was changed in the SolarWinds Orion platform, but it was innocuous code. It was not a backdoor. Then sometime in March, the operators behind this attack did put malicious code into the supply chain, injected it in there- and that is the- the backdoor that impacted everybody.

He also said that it's true "over 300,000 companies use SolarWinds," but around 18,000 companies actually had the malicious code in their networks, and then only around 50 were "genuinely impacted." 

When asked about attribution for the attack, and whether he agrees with others that it was Russia, Mandia said it was "definitely a nation behind this." And after some more very vivid descriptions, going even beyond his earlier drive-by analogy, Brennan pressed him on the Russia question, saying

But you know better than anyone that there are only a very few number of nation states capable of what you are describing in terms of skill. Russian intelligence, specifically the SVR, has been repeatedly pointed to by officials. Is that who you believe did this?

He thinks "this is an attack very consistent with that," and that we're going to get the attribution right. We can either "speculate it or we can do some more work" to nail it down, to "put a neon sign on the building of the folks that did this."

And I'm very confident as we continue the investigation, as it gets broader, as more people learn the tools, tactics and procedures of this attack, we're going to bring it back and we're going to get attribution. Not ninety-two percent right, not 'consistent with,' but a hundred percent. Let's just get it right so that we can proportionately respond, period.

Brennan explained her push on attribution, suggesting that to prevent this kind of attack from happening again, we have to know who did it. She, too, mentioned the president's muddying of the waters by disagreeing with his own cabinet, and asked Mandia how we keep something like this from happening again.

He said we need to "have doctrine," like we do for the use of chemical weapons, so people know the rules of the game, and if we don't, he thinks it will just get worse.

We're going to see the borders continue to be pushed outward in cyber attacks-- to the point where, when do we finally do the work--when it's already intolerable, when it already got so bad that we have no choice but to respond. But like you said, it starts with doctrine. With doctrine, you have to get attribution right. And with attribution, then you have to do a proportional response to whoever the actors were. 

So, feeling better, or not so much?  I can't decide.

See you around campus, after the holiday.  I'll be looking for your masked family celebration posts on social media - don't let me down!

No comments:

Post a Comment

Thanks for sharing your thoughts!