Months before insurgents breached the Capitol and rampaged through the halls of Congress, a stealthier invader was muscling its way into the computers of government officials, stealing documents, monitoring e-mails, and setting traps for future incursions. Last March—if not before, as a report by the threat-intelligence firm ReversingLabs suggests—a hacking team, believed to be affiliated with Russian intelligence, planted malware in a routine software upgrade from a Texas-based I.T. company called SolarWinds, which provides network-management systems to more than three hundred thousand clients. An estimated eighteen thousand of them downloaded the malware-ridden updates, which were embedded in a SolarWinds product called Orion. Once they did, the hackers were able to roam about customers’ networks, undetected, for at least nine months. “This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” the Cybersecurity and Infrastructure Security Agency (CISA) wrote, in its assessment of the breach. “CISA expects that removing the threat actor from compromised environments will be highly complex and challenging.” CISA, which is part of the Department of Homeland Security, is a SolarWinds client. So is the Pentagon, the Federal Bureau of Investigation, and U.S. Cyber Command.
By now, hacking has become so routine that it’s hardly remarkable. Each morning, I wake up to an e-mail from the cybersecurity firm Recorded Future, listing the hacking groups and targets that its algorithms have uncovered in the previous twenty-four hours. The hackers have cute names, such as Lizard Squad and Emissary Panda. Their targets are a mix of commercial businesses—such as Sony and Lord & Taylor—and government sites, including those of the State Department, the White House, the Air Force, and the Securities and Exchange Commission. Most days, I also get an alert from M.S.-ISAC, the Multi-State Information Sharing and Analysis Center, the real-time threat-reporting division of the nonprofit Center for Internet Security, disclosing newly discovered vulnerabilities. There is never a day when there aren’t numerous attacks and multiple software systems that need to be patched.
So, on December 8th, when FireEye, a cybersecurity company that has uncovered numerous high-value hacks, reported that its own defenses had been breached and its closely guarded hacking tools, which are used to find vulnerabilities in its clients’ systems, had been stolen, it seemed like an escalation—a company tasked with keeping its clients safe wasn’t able to defend itself—but not necessarily a transformative one. That assessment changed, a few days later, when it became clear that FireEye was not the only target. The Treasury Department, the Commerce Department, the Justice Department, and the State Department were all infected by the suspected Russian malware. So were Microsoft, Cisco, Intel, and Belkin—companies that undergird most I.T. networks. How extensive was this operation? In the Times, Tom Bossert, who served as the Director of Homeland Security early in the Trump Administration, wrote, “While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.”
Not long after the scope of the breach began to come into view, a semantic battle commenced: Was the breach an attack or was it espionage? An attack demands a response. Espionage can be dismissed as business as usual—it’s what nation-states do. An attack in the physical world is unmistakable: a bomb explodes, guns are fired, the targets are people and property. In the digital world, where ordnance is constructed from zeros and ones, the distinction is less clear: computers are compromised, networks are infiltrated, and software is weaponized in secret, behind a quiescent scrim that may remain intact for months or years. What initially appears to be a spying operation ultimately may turn out to be an attack—either digital or physical—with a long lead time. Although the consensus seems to be that the SolarWinds breach was straight-up reconnaissance, the truth is that we don’t yet know. CISA continues to update its assessment, providing new information about the mechanics of the operation as they are identified. (In December, Joe Biden said that, when he assumed the Presidency, the United States “would probably respond in kind.”)
During the SolarWinds breach, hackers infiltrated American nuclear facilities. Earlier intrusions by Russian, Iranian, and Chinese hackers breached dams and electricity-generating stations, opening a door to foreign-intelligence operatives. Are we to believe that these spies merely want to know how we secure our nuclear weapons, deliver water to municipalities, or light our homes? It’s difficult to put too fine a point on it: anyone who has gained access to these networks has the ability to upend or destroy whole swaths of this country. Nonetheless, in July of 2019, General Mark Milley, at his confirmation hearing to become the chairman of the Joint Chiefs of Staff, was sanguine about this possibility. “If they know that we have an incredible offensive capability,” he said, it “should deter them from conducting attacks on us in cyber.” For every dollar that the United States spends on cyber defense, it spends ten developing cyber weapons, which are able to do to our adversaries what they can do to us: turn off the power, cut off food supplies, sabotage military installations, shut down communications systems, and, as we saw in 2010, with Stuxnet—the cyber weapon, widely believed to have been a co-creation of the United States and Israel, which destroyed centrifuges at Iran’s Natanz uranium-enrichment plant—cross over into the physical world.
The prospect of mutually assured destruction has worked so far in the nuclear realm, where the horrific consequences of nuclear weapons brought adversaries to the negotiating table. But there are no rules of engagement in cyberspace, in large part because the United States has wanted to use its cyber arsenal unconstrained by rules and regulations. This means that deterrence, which is really a game of chicken, gives our adversaries a clear path to compromising our infrastructure or shutting down our cities, if they so choose. Jason Healey, the president of the Cyber Conflict Studies Association, wrote, on the Lawfare blog, “The pressures to strike early could become an imperative when facing cyber-strong but technology-dependent countries like the United States.” He added, “Indeed, there is evidence that the power of U.S. offensive capabilities has not deterred threats but, instead, has done the opposite.” It is important to recognize, too, that not all attacks are launched directly by nation-states. As we saw recently, when scores of hospitals had their computer systems held for ransom, cybercriminals—who sometimes work in concert with government intelligence agencies—can also wreak havoc. (A woman died as a result of one of these attacks in Germany, because emergency-care facilities were unavailable.)
The simple truth is that cyber defense is hard, and in a country like the United States, where so much of our critical infrastructure is privately owned, it’s even harder. Every router, every software program, every industrial controller may inadvertently offer a way for malicious actors to enter and compromise a network. This is compounded by the fact that, even where software patches exist, they are often not applied, and many businesses and municipalities are too cash poor to afford adequate Internet security. As Healey observed, “It isn’t cheap; JPMorgan Chase reportedly spends at least $600 million annually for cybersecurity.”
Among the many messes left behind for the Biden Administration to clean up, the SolarWinds hack is going to be particularly challenging. According to Bossert, “A ‘do over’ is mandatory and entire new networks need to be built—and isolated from compromised networks.” There is now an opportunity to create those systems with security built into them from the outset, what is known as “security by design.” (It has been more common for government-I.T. venders to append security features as custom add-ons.) Think of this like building codes optimized to withstand earthquakes. When the big ones come, the structures built to code are the ones that remain standing.
Cybersecurity was not a popular topic in the Trump White House. Because Donald Trump could not abide discussions of Russian election hacking, he made cybersecurity a partisan issue. Joe Biden understands that cyber intrusions are an existential threat, calling them “an urgent national-security issue that cannot wait.” He is reinstating the office of the White House cybersecurity coördinator, a role that the Trump Administration eliminated, and has appointed Anne Neuberger, the head of the National Security Agency’s Cybersecurity Directorate, to his National Security Council. His proposed $1.9-trillion stimulus package allocates ten billion dollars for cybersecurity. And, on his first full day in office, Biden asked Avril Haines, the new director of National Intelligence, for an assessment of the SolarWinds hack.
“We have to be able to innovate, to reimagine our defenses against growing threats in new realms like cyberspace,” Biden said in December, after learning of the SolarWinds hack. The work of shoring up digital security begins by recognizing—with all due respect to the first American President—that sometimes a robust offense is not “the surest . . . means of defence.” Sometimes, the best defense is a robust defense. Deterrence may hold the line, but for how long?