The hacking rush of Russia is an expectation
America still does not have a constructive reaction on attacks by supply chain that let Russia run wild.
Several key U.S. government agencies—including Homeland Security, Trade, Housing and State agencies—found last week in a month-long espionage campaign that their digital networks have been violated by Russian hackers. It takes months, or more, to fully grasp the nature and depth of the attacks. However, it is already clear that both the federal government and the IT industry that supply it are a moment of consideration.
In March, Russian hackers apparently affected mundane software upgrades for a commonly used SolarWinds Orion network monitoring tool. With the ability to change and monitor this trusted code, the attackers can deliver their malware without detection to a wide range of customers. Such "supply chain" assaults were used before, including by Russia, in government surveillance and disruptive hacking. However, the incident with SolarWinds highlights the impossible stakes of these events — how nothing was done to avoid them.
Matt Ashburn, national security engagement manager at the web security company Authentics8, who formerly worked as Chief Informations Security Officer at the National Security Council, said "This I like other ways of disaster recovery and crisis planning in both government and private sectors. "If the pandemic begins this year, however, none seemed ready for it; everyone scratched. And the attacks of the supply chain were identical – everybody knows about it and is conscious of the threat, we know our most advanced adversaries are engaged in this kind of operation.
The allegations came soon after the attacks, with US Sensors Ron Wyden (D-Ore.) and Sherrod Brown (D-Ohio) posing questions to Secretary of the Treasury Steve Mnuchin in Congress regarding the readiness and response of that department. Sen. Mark Warner (DV), Vice-Chair of the Senate Intelligence committee, told a Monday separate declaration that 'as we have learnt at the Not Petya attacks, software-supply chain attacks of this nature may have destructive and wide-range consequences. "We should make clear that there will be consequences for any broader impact on private networks, critical infrastructure, or other sensitive sectors."
The US has invested heavily in identification of threats; a multi-billion-dollar infrastructure called Einstein patrols malware and alert networks of the federal government. However, Einstein is efficient in detecting identified threats as a 2018 government accountability agency study detailed. It's like a bouncer who keeps everyone on the list, but turns a blind eye on names he doesn't know.
In the face of a sophisticated attack like that of Russia, Einstein was insufficient. To gain access to the target networks, hackers used their SolarWinds Orion backdoor. They sat still until two weeks before moving into victim networks very carefully and purposefully to gain more power and exfiltrate data. They also worked hard to cover their actions in this potentially more obvious stage of the attacks.
"Just like the attacker's calls from nowhere" "
Jake Williams, a former NSA hacker and founder of Rendition Infosec security company says "This is a reckoning for sure," "That's inherently so difficult to deal with, since the attacks on the supply chain are ridiculusement hard to detect.
The GAO published on Tuesday another report, which it circulated inside the government in October, "Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks." The agency found that none of the 23 agencies it considered had adopted all seven key best practices for cyber defence. There had been no implementation at all of most of the departments.
The supply chain issue—and the hacking spree of Russia—is not special to the US administration. SolarWinds said that up to 18,000 customers are vulnerable to hackers who also penetrate FireEye, a leading cyber safety company.
"It was not easy to determine what happened here—this is an extremely capable, advanced actor that takes great steps to cover their tracks and compartmentalize their operations," said John Hultquist, FireEye's vice president of intelligence analysis. "We were fortunate to get to the bottom of it, frankly."
But the possible consequences of these federal violations – political, military or economic – should serve as a final wake-up call for the Russian operation. Although the attackers seem to have only breached unclassified networks in the past, Williams from Rendition Infosec stresses that some unclassified information links ample spots in order to increase the amount of classified material. And it is not clear how dire the entire picture is still to look, since the true scale and the scale of the incident are still unknown.
There are certain ways to strengthen the security of the supply chain: the fundamental due diligence outlined by the GAO and the priority given to audits on omnibus IT platforms. However, experts say that the hazard is not easily tackled. One possible direction would be the creation of highly segmented "zero trust," networks so that attackers cannot accomplish greatly even though some systems infiltrate, but in reality big organizations find it difficult to commit themselves in this model.
"You have to put a great deal of trust in your software vendors, and every one of them 'takes security seriously,'" Williams explains.
However, criminals would have the upper hand without an entirely new approach to data security. The USA has options – counterattacks, sanctions or some kind of combination – at its disposal but there is too much potential for such espionage, and too little obstacle to access. Jason Healey a senior research scholar at Columbia University says: "We can blow up your home networks or show how angry you are and how fucked we are, but that probably doesn't affect your behavior for the long term."
"The defense is stronger than the offense," says Healey. "They have to find out what we can do. To this end, the hacking spree of Russia will be less an exception than a draft.
CNBC's "Squawk on the Street" team break down the implications of the U.S. agencies that faced a cyberattack by suspected Russian hackers with Phil Quade, Fortinet's chief information security officer and former NSA executive.