Imagine intruders break into your home and loiter undetected for months, spying on you and deciding which contents to steal. This in essence is the kind of access that hackers, assumed to be Russian, achieved in recent months at US government institutions including the Treasury and departments of commerce and homeland security, and potentially many US companies. If the fear in the Cold War was of occasional “moles” gaining access to secrets, this is akin to a small army of moles burrowing through computer systems. The impact is still being assessed, but it marks one of the biggest security breaches of the digital era.
Hackers infiltrated updates to network management software from SolarWinds to smuggle malware into the computer systems of its government and corporate clients. The malware can transfer files, reboot computers and disable system services. It appears so far to have been used for espionage, albeit on a grand scale. But since clients included infrastructure operators, it could have been used for sabotage — or shows how similar methods might be used for devastating cyber attacks in the future.
The incident should raise red flags across the public and private sectors that there is no such thing as perfect security. Even the most sensitive institutions are vulnerable to compromise operations by sophisticated players; in this case, a leading cyber security company, FireEye, was itself affected. The US and its allies cannot assume technological superiority over their most determined and capable cyber-foes: Russia, China, North Korea and Iran.
Any IT system, moreover, is only as secure as its weakest link. A central feature of this attack is that it utilised the supply chain, gaining access via software from a commercial supplier. While the US and allies have worked to exclude foreign-owned potential security risks such as China’s Huawei from critical infrastructure, threats can emerge via unwitting domestic sources. Private businesses are not equipped to carry out vetting similar to government departments.
Government agencies and private companies alike should therefore take a leaf out of the security services’ book — operating under the constant assumption that they have been compromised, and continually scanning for intruders. The faster breaches can be located and closed, the more likely critical data can be protected. Cybersecurity has to be treated as a priority right up to the most senior levels, and financial and human resources made available to ensure companies and public bodies have the best defences.
To strengthen government security, president-elect Joe Biden would be well-advised to reinstate the White House “cyber tsar” role the Trump team axed in 2018. A similarly able successor is needed to Chris Krebs, recently fired by Donald Trump as director of the well-regarded Cybersecurity and Infrastructure Security Agency. Though Mr Trump has threatened to veto it, the National Defense Authorization Act significantly beefs up CISA’s largely advisory authority, giving it power to take over running agencies’ cyber security programmes.
A return to multilateralism would also help. Mr Biden should liaise with allies on collective cyber security, and joint sanctions on states engaging in abuses. A “digital Geneva Convention” could update the norms of conflict for the cyber age; Russian president Vladimir Putin — whose Kremlin has denied being behind hacks of the US — has proposed a mutual cyber truce. But the kind of controls once adopted, say, on nuclear arms are tricky to translate into the realm of cyber space.