Monday, January 04, 2021

The SolarWinds Data Breach: Should We Care?


The year 2020 will go down in history for a number of reasons, but the cherry on the disaster cake hit the news in mid-December.  Cybersecurity investigators discovered that some software provided by the Austin, Texas network-monitoring software firm SolarWinds was "trojaned" some time in early 2020.  Hackers, later identified as Russian, managed to insert malware into an update of Solar Winds's popular network-monitoring software, and this allowed the hackers to access customers' emails and other supposedly secure data from around March of 2020 until one of SolarWind's customers noticed that someone had stolen some of their cybersecurity tools, and notified the company.  In similar attacks, Microsoft software was similarly compromised.


This was a complicated and well-organized exploit, as the hackers focused their attention on high-value targets such as government agencies.  Wikipedia's article on the breach reads like a list of a spy's dream targets:  the Department of Defense, the National Nuclear Security Administration, the National Institutes of Health (in the midst of the COVID-19 pandemic, yet), the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the Department of State, and the Department of the Treasury.  As in any spying operation, most of what they got won't be that useful to them, but some of it very well may be. 


Fortunately, the hackers did not use their access to lock files or cause other disruptions that might have drawn premature attention to what they were doing.  They were spying, not sabotaging.  But of course, what they learned may help them commit sabotage in the future.  We simply don't know.


How did this happen?  In the case of SolarWinds, the hackers gained access to the firm's "software-publishing infrastructure" way back in October of 2019.  Clearly, the company's own security measures were insufficient to prevent this initial breach, which if caught could have stopped the whole attack in its tracks.  But something as simple as carelessness with passwords can allow hackers into a system.  Hacking is like burglary, in that ordinary defenses stop the average burglar, but if a huge sophisticated gang decides to focus on your house, there's not a lot you can do to stop them.


And SolarWinds was the focus of the Russian hacking group known as "Cozy Bear" because of their critical place in the software supply chain.  Thousands of firms use their network-monitoring software, which meant that "trojanizing" a SolarWinds software update gave the hackers potential access to any of SolarWinds's customer's systems.  And that is exactly what happened.


Once the breach was discovered last month, SolarWinds went public and warned its customers of the problem.  But as one expert interviewed on the breach put it, fixing the leaks that the hackers established is like getting rid of bed bugs:  sometimes they are so spread out that finding each individual bug is an impossible task, and you have to burn the mattress.  The reason is that once the attackers got into a system, they could wander around and establish more access points.  And stopping the original breach does nothing about those access points, which can be hard to find.  So even though we know how the hackers got in, it's not going to be an easy matter making sure that they can't keep spying on their victims without throwing out a whole lot of software and starting over from scratch.


What difference does all this make to the average Joe or Jane?  If you don't work for one of the affected companies or agencies, should you even bother to put this on your already-lengthy worry list? 


In itself, the breach's consequences are unpredictable.  Governments keep some things secret for good reasons, mostly, and when those secrets are revealed, bad things can happen.  We are not currently in direct hand-to-hand conflicts with Russia, but there are low-level military operations going on all over the world, many of which the U. S. is involved in without the knowledge of the general public.  As in any military operation, intelligence about plans or proposed actions can be used against you if it leaks, so for one thing, our military forces have been put in a potentially bad situation.  But again, it's hard to tell yet.


During World War II, the Germans were largely unaware that the Allies had breached their most-secure code system with the Turing-inspired "bombes" of Bletchley Park, because any military advantage that the Allies' decoding operations gave them was carefully disguised to look like luck.  So we can expect Russia to disguise any advantages it's attained from the Cozy Bear attacks similarly, although we now know roughly what they've been up to. 


Institutions change slowly, and the old saying that generals in a new war start out by fighting with the previous war's weapons is still true.  There will always be a need for troops on the ground in some situations, but as more and more commerce and activity of national importance takes place in cyberspace, future battles will also be staged more and more in the digital realm. 


As we know from bitter experience in other areas of engineering ethics, it usually takes a spectacular tragedy to inspire major institutional change that could have prevented the tragedy in the first place.  We have been relatively fortunate that bad consequences from cyberattacks on U. S. targets have not approached the magnitude of a 9/11, for example.  Probably the worst ones have been ransomware attacks mounted by apparently private criminal groups that shake down organizations for money, usually in the form of bitcoin.  While serious for the organizations targeted, these sorts of attacks have not up to now appeared to be part of a coordinated terrorist-like systematic assault on the nation's infrastructure.


Such an attack could come at any time, however.  And the fact that Cozy Bear hackers were reading the Pentagon's mail for the last nine months does not inspire confidence in the ability of our nation's cyber-warfare personnel to prevent such attacks.  Until we take cyberwarfare fully as seriously, if not more seriously, than attacks with conventional weapons, we are effectively inviting hackers to see what they can do to disrupt life in the United States.  Let's hope they don't try any time soon.


Sources:  I referred to an article by Kara Carlson of the USA Today Network which appeared on the Austin  American-Statesman's website on Dec. 30 at  I also referred to a chronology of the attacks on the channele2e website at, and the Wikipedia article "2020 United States federal government data breach."

No comments:

Post a Comment