The SolarWinds Hack Is Just The Same Sort Of Espionage The US Government Engages In Every Day
from the ugly-and-inconvenient-truth dept
A historic hack of unprecedented scale has set off alarms in the US government -- itself a target of suspected Russian hackers who leveraged IT infrastructure company SolarWinds' massive customer base to compromise an unknown number of victims. Among those victims were several US government agencies, including the DHS's cybersecurity wing, which announced its own breach hours after issuing a dire warning to potentially affected government agencies.
Is it time to panic? No, says the lame duck president, who claims this is already "under control" -- something that very definitely isn't true. SolarWinds says it has 18,000 customers using the affected Orion software. And many of those customers (which include Fortune 500 companies and major telcos/service providers) have thousands of customers of their own -- all of which may be operating compromised systems. The DHS said the only way to ensure systems are clear of this threat was to airgap them and uninstall the infected software.
Others who have been briefed on the hack are far less cheery about its ongoing impact. Trump tweeted there was nothing to worry about. Republican allies seem more concerned than the man who won't have to worry about this for much longer.
Shortly after Mr. Trump’s tweet, Sen. Marco Rubio (R., Fla), acting chairman of the Senate Intelligence Committee, said it was “increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history.”
Mr. Rubio added on Twitter that efforts to determine the extent and damage of the hack were ongoing and that remediation would take significant time and resources. “Our response must be proportional but significant,” he said.
The 2050s will be like 1950s, apparently: with America in the midst of another Cold War.
But is it true this is the "gravest cyber intrusion in our history?" Or is it just the "gravest" intrusion that's targeted us? After all, the Russians don't have a monopoly on government-ordained hacking. Our intelligence and security agencies deploy their own persistent threats -- something we've done for years with minimal blowback. These calls for a cyber war by pundits and government officials aren't anything to be applauded. I don't think America really wants to get involved in another forever war -- one whose wins and losses can't be tallied with temporary "liberations" and body bag back orders.
Let's be cautious, says Jack Goldsmith. Better yet, let's be aware of the hypocrisy of the stance some government officials are demanding we take.
The lack of self-awareness in these and similar reactions to the Russia breach is astounding. The U.S. government has no principled basis to complain about the Russia hack, much less retaliate for it with military means, since the U.S. government hacks foreign government networks on a huge scale every day.
Turning a cyber war into a shooting war isn't just an overreaction. It's illegal under international law. That doesn't mean nothing should be done about it. It just means the US government can't pretend it doesn't engage in the same activities some now want to go to war over. What's happened here might be unprecedented in scale, but it's the same thing every government with enough resources has done for years. It's not a war waiting to happen. It's business as usual.
Peacetime government-to-government espionage is as old as the international system and is today widely practiced, especially via electronic surveillance. It can cause enormous damage to national security, as the Russian hack surely does. But it does not violate international law or norms.
In recent years, the US government has deployed more offensive weapons in hopes of deterring cyber attacks. It really hasn't worked. Meeting escalation with more escalation is unlikely to change the standard operating procedures of espionage, especially since the US government hasn't rolled back its offensive efforts in the wake of massive breaches.
But there may be a way forward -- one almost impossible to achieve but promising enough it shouldn't be dismissed out of hand.
[The US government] has not seriously considered the traditional third option when defense and deterrence fail in the face of a foreign threat: mutual restraint, whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks. There are many serious hurdles to making such cooperation work, including precise agreement on each side’s restraint, and verification. But given our deep digital dependency and the persistent failure of defense and deterrence to protect our digital systems, cooperation is at least worth exploring.
There's no moral high ground to claim here. And refusing to consider bringing some of our cyber boys back home leaves us with nothing but continuous escalation. This hack is raising uncomfortable questions about our own practices. Let's see if anyone in the White House is willing to honestly confront the consequences of our own actions and find another route towards safety and national security.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cyber war, cybersecurity, dhs, hacks, hypocrisy, nsa, russia, surveillance, us
Companies: solarwinds
Reader Comments
Subscribe: RSS
View by: Time | Thread
why the F do the governments keep using the word Cyber-?
I thought it fell out of use in late 1990s
[ link to this | view in chronology ]
illegal to wage war?
"Turning a cyber war into a shooting war isn't just an overreaction. It's illegal under international law."
That has to be one of the most foolhardy statements since Chamberlain's "peace for our time" proclamation at Heston.
[ link to this | view in chronology ]
Re: illegal to wage war?
Not remotely.
[ link to this | view in chronology ]
Re: illegal to wage war?
Well illegal has the implied asterisk stating "if you lose". That has been the unfortunate status quo.
[ link to this | view in chronology ]
Hypocracy at it's finest
When WE do it's just peachy but when someone else does it to US then it's a crisis the likes of which our country has ever seen and grounds for war!
The US doesn't hesitate to deploy these tactics against foreign governments and acts incensed when one of them responds in kind.
And of course parish the thought of us showing any kind of restraint when in reality we'll just escalate further and doesn't help our mindset apparently is pure offense and little defense if at all.
[ link to this | view in chronology ]
`All this espionage comes down to one thing, governments are basically dishonest in their dealing with others, and always trying to gain an advantage.
[ link to this | view in chronology ]
not buying it
i guess you assume this would work like the IRAN deal did... please don't build nuclear weapons... if we say pretty please ? pretty please with sugar on it?
lets assume for a second that some great stupidity came down and everyone here suddenly decided - yes we will never attempt to gain intelligence via hacking.
are you going to sit there and honestly be that naive that everyone else will not?
russia ? really - personally think china and north korea are tied for that award as well.
[ link to this | view in chronology ]
There is also a forth option: hardening our critical systems against fallacious behavior, both accidental and malicious. (Of course I realize that even attempting to do this takes more balls than we can muster)
[ link to this | view in chronology ]
Re:
That would be the first option mentioned: defense.
[ link to this | view in chronology ]
Is there any evidence that Russia is involved - apart from what usual "this Biden laptop story is Russian disinformation" spooks say? Or is it a logical deduction from the fact that only a Russian is smart enough to crack a sophisticated password like "solarwinds123"?
[ link to this | view in chronology ]
"Sen. Marco Rubio (R., Fla)"
I'm not sure if it's comforting that I keep seeing the same idiots spouting nonsense in a lot of stories (meaning that the majority of US politicians are actually competent administrators and not grandstanding morons), or if it's depressing (because these people still keep getting elected).
"The 2050s will be like 1950s, apparently: with America in the midst of another Cold War."
What did people think MAGA meant? They pine for a time that never really existed outside of TV reruns, but they do remember the cold war and being able to dominate anyone who wasn't a straight white male. Whether the fiction they pine for is Leave It To Beaver or Red Dawn depends on their age group, but both are probably wishing for wartime to return.
[ link to this | view in chronology ]
I still do not understand why critical infrastructure is connected to the internet, as this seems to be a very bad idea. Perhaps there are very good reasons for doing so but I have yet to hear or read any, and efficiency/lower cost is not a very good reason.
[ link to this | view in chronology ]
Re: Internet connection
Sorry? You don't see why the Treasury's mailserver was connected to the internet?
[ link to this | view in chronology ]
Re: Re: Internet connection
and how does Treasury update said email server?
Do they blindly apply patches?
[ link to this | view in chronology ]
Re: Re: Re: Internet connection
hmmm guessing solarwinds or someone using solarwinds does it for them?
[ link to this | view in chronology ]
Re:
Efficiency is a very good reason unfortunately - good logistics win wars. Bad logistics put you in decline and lead to embarassing defeats. There are opportunity costs to everything.
Technically we could have armed motorcades transporting encrypted harddrives to prevent interception of messages. Practically that would be a massive needless expense which slows things down massively.
The sad part is that hardening these things wouldn't be that difficult or inefficient - even just using flawed SSH and PPKI would be miles better than passwords. Have one set per user including administrators and nonoverwriteable only audit logs and you have nonrepudiation as the answer of who either fucked up or betrayed you is "the one whose keys were used for this illicit access".
[ link to this | view in chronology ]
Re: Re:
It seems to be very efficient at getting hacked.
[ link to this | view in chronology ]
but didn't you realise that when the US Govt does this (or anything, come to that) it's perfectly ok? it's only bad, naughty, illegal or whatever when anyone else does it!
[ link to this | view in chronology ]
May the Farce be with you
"deployed more offensive weapons in hopes of deterring cyber attacks."
LMAO.
IMO, this could of been caught before anything happened. As in Where in hell did that .DLL come from?
Setting up an outgoing monitor of the system. Where things get looked at, and a list of where things are going.
Machines that have access to the system are REGISTERED And DATA OUT also, only to REGISTERED systems.
Thinking a Club(not the one for cars) can stop a internet attack? Priceless.
[ link to this | view in chronology ]