SolarWinds and the hypocrisy of cybersecurity

easyDNS is pleased to sponsor Jesse Hirsh‘s “Future Fibre / Future Tools” segments of his new email list, Metaviews

Vulnerability, blame and espionage

 
For the next two weeks Metaviews is shifting into a lower gear as we all collective mark the end of the calendar year. We’ll probably keep publishing, but perhaps not daily. We’re also not holding a salon this week, but will resume shortly. In the meantime, keep an eye on https://twitch.tv/metaviews and please follow us there.

We’re in the midst of what may be the largest computer security incident in years, or decades, or maybe even to date. And while it is both severe and geopolitically important, it also illustrates the hypocrisy that surrounds cybersecurity.

From Wikipedia: “Hypocrisy is the practice of engaging in the same behavior or activity for which one criticizes another or the practice of claiming to have moral standards or beliefs to which one’s own behavior does not conform.”

In this context the hypocrisy is not just that states spy, or that states hack, but on a larger level that everyone is insecure, especially governments!? We shame people and companies for being hacked, but when the government is hacked somehow that’s different?

This current episode sort of began with the news that FireEye was hacked, but has since escalated to a much larger breach, with a company called SolarWinds being thoroughly compromised.

They provide network and systems management to clients around the world, especially governments, but also other technology providers. Hacking SolarWinds is like taking over the sewers in a city. It literally provides a backdoor to almost all the essential government and corporate computer infrastructure.

This is genuinely a massive story, one that we’re still learning about. Although consider it a huge source of work for cybersecurity professionals.

The scale of this attack alone is impressive, as the number of companies not only directly impacted, but also now in a position where they have to audit and question their own security is incredible. Similarly the length of time that it has been underway is also contributing to the severity of it all.

On Dec. 13, SolarWinds acknowledged that hackers had inserted malware into a service that provided software updates for its Orion platform, a suite of products broadly used across the U.S. federal government and Fortune 500 firms to monitor the health of their IT networks.

In a Dec. 14 filing with the U.S. Securities and Exchange Commission (SEC), SolarWinds said roughly 33,000 of its more than 300,000 customers were Orion customers, and that fewer than 18,000 customers may have had an installation of the Orion product that contained the malicious code. SolarWinds said the intrusion also compromised its Microsoft Office 365 accounts.

While a lot of the focus of this attack is how it penetrated US government computers, it is worth taking a moment to fully appreciate the scale.

The above slide is meant as a joke, but with all jokes there’s some truth in it.

This blog post from Microsoft is significant as they were heavily compromised by this attack (as noted above), as SolarWinds had a privileged position within the larger Microsoft ecosystem.

All of this illustrates the paradox of cybersecurity that if and when you have the resources and time to look it is remarkable what you can find.

One issue that will arise as a result of this episode will be examination of who SolarWinds are and how their services, which were intended for security and control, ended up resulting in the opposite.

On an earnings call two months ago, SolarWinds Chief Executive Kevin Thompson touted how far the company had gone during his 11 years at the helm.

There was not a database or an IT deployment model out there to which his Austin, Texas-based company did not provide some level of monitoring or management, he told analysts on the Oct. 27 call.

“We don’t think anyone else in the market is really even close in terms of the breadth of coverage we have,” he said. “We manage everyone’s network gear.”

Now that dominance has become a liability – an example of how the workhorse software that helps glue organizations together can turn toxic when it is subverted by sophisticated hackers.

There’s definitely hypocrisy in the way in which this software subverted security, although the story as to who is responsible is equally interesting and revealing.

Especially given the depth, complexity, and lasting legacy that this attack is bound to have.

Although there are skeptics who think that it’s all too easy to blame Russia when bad security practices may have been responsible or at least a contributing factor.

However a more nuanced perspective is that this attack could only have been the work of CozyBear *and* it was the result of terrible cybersecurity practices:

There’s also hypocrisy at play here. We lost this round of the SpyWar to the SVR, but we’re plenty active in the hush-hush cyberespionage realm ourselves. NSA is probably the world’s most skilled agency at conducting CNE while its tightly linked U.S. Cyber Command partner is among the most effective at executing CNA. Edward Snowden spilled some of those Top Secret beans to the world back in 2013, when he walked out of NSA Hawaii with over a million classified documents on his way to Moscow. Although CNA can be construed as an act of war, CNE is merely espionage in the 21st century, something which every first-class intelligence agency in the world is doing, right now, as you read this.

We must get serious about cybersecurity, not least because defeat in the SpyWar often precedes defeat in an actual war, and right now a shooting war with China looms as a serious possibility. Just as we should assume that details of Beijing’s mega-hack of the OPM were shared with Moscow, the SVR’s mega-hack of American government and industry via SolarWinds is something the Kremlin has likely shared with its friends in China. The stakes here are important and rising. It would be nice if President Trump said something meaningful about APT29’s activities, including what the U.S. government is doing to mitigate the damage while discouraging Moscow from executing further mega-hacks. It would be nicer still if Washington got serious about counterintelligence and security, cyber and otherwise, beyond mere words, before it’s too late.

It’s important to understand how the US wages or inflicts upon the rest of the world.

What if SolarWinds was already a US intelligence asset, the story here is that the SVR subverted it? Pure speculation of course, but when it comes to cybersecurity, anything is possible.

For example check out this rather ludicrous hack that was recently demo’d:

Maybe the moral of this episode is that cybersecurity is full of hypocrisy, and that actual security requires resources that the largest and most capable organizations apparently do not posses? What does that mean for the rest of us? #metaviews

Leave a Reply

Your email address will not be published. Required fields are marked *