Amidst the panic and disorder caused by Covid-19, a major recent happening in cyberspace has gone almost unnoticed. A series of intrusions into the systems of vital establishments across the US during most of last spring did not alert nations across the globe, although the episode had important lessons for most of them. Among the large number of victims were not only important government agencies in the US, but many Fortune500 companies as well.
The US Secretary of State, Mike Pompeo, went public a few weeks ago to accuse Russia as the main player in this misadventure. Strangely, however, his boss, President Donald Trump, quickly underplayed the episode and obliquely exculpated Russia to say that he rather suspected a Chinese hand in this.
Trump’s nearly outrageous stance was despite the fact that there was nothing to indicate that he was speaking on the basis of any briefing that he had received from any of his officials. Trump contradicting his highest official went to prove that what should be purely within the purview of technocrats could easily slip into the hands of tendentious politicians. This is why charges and counter-charges of cyber aggression are no longer taken seriously, particularly when there are just three.
The recent attacks on American establishments were sophisticated. They were surreptitious and could have remained buried under the ground but for the initiative of FireEye, a well-known American security firm, which alerted the country’s intelligence agencies. Further enquiries revealed that it was the network-monitoring software of a company called SolarWinds which was the main problem.
A wide spectrum of sensitive government departments, including Pentagon and the Department of Homeland Security (DHS), were SolarWinds’ clients. After getting into the websites of many of SolarWinds’ customers, the miscreants are known to have used the tainted software as a kind of Trojan Horse. They either belonged to or were close to SVR, the successor to KGB, the infamous Russian spy agency.
Attacks vs espionage
The modus operandus employed by the intruders was to use American Internet addresses and local computers, invariably at places where the victims themselves were located. The attacks were timed for non-working hours when traffic was minimal. SolarWinds was chosen as the target of attack because it was notoriously low on security standards.
The company used very weak passwords that were either leaked or could be easily guessed. According to one report, although the Russians did not breach classified systems within SolarWinds, they came close it. Also, some classified information was not protected by layers of security making them easily vulnerable.
The well-known cyber security writer, Bruce Schneider, draws a distinction between cyber attacks and cyber espionage. The former are aimed at making a direct or indirect profit at the cost of the victim.
On the other hand, the objective of cyber espionage is one of deriving critical information that could be of great value either to the aggressor or the client who has hired him. In Schneider’s opinion, the recent attacks on US organisations were intended to illegally derive knowledge of facts relevant to the Russian security establishment. It is not yet known what the objectives of the intruders were in this particular instance.
On the face of it, this is fundamentally an exercise in quibbling and does not take us very far into protecting our information wealth.
In both cyber intrusion and espionage, the intentions of the attackers are undoubtedly dishonest. It is an entirely different matter that almost all modern nations, especially the US, indulge in this practice ad nauseam. Any outrage expressed by the victim nation is for public consumption and for stimulating interest of the international community.
NSA in the dark
The question raised by many cyber experts and others, is how the government’s key intelligence organs such as the National Security Agency (NSA), on which billions of dollars is spent for protecting the country’s critical resources, were blissfully ignorant of the manoeuvres of foreign intruders. This could remain unanswered even at the end of the current major investigation launched by the federal government and others.
What does all this mean to countries like India, which are fast establishing near parity with advanced nations like the US and China in the matter of cyber prowess? Apart from the fact that they can never relax their vigil, they need to understand that there is nothing like 100 per cent security and, therefore, response to attacks should be moderate in tone but combined with a resolve to retaliate. The commendable role of the private sector in the US happenings highlights the need to build confidence in the former that it will be heard in such matters instead of being ignored and despised as in the past.
The proverbial scepticism about the motives of private corporations should yield place to trust in their capacity and national spirit.
The writer is a former CBI Director and a former Security Adviser to TCS Ltd