with Tonya Riley

A Russian hacking campaign that breached the Treasury and Commerce departments and ran roughshod through critical companies across the globe is a final stain on the Trump administration’s cybersecurity legacy.

National security officials are still scrambling this morning to determine the scope of that campaign, which officials say was going on for months and impacted government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East. 

It likely represents the largest known Russian data theft in half a decade and is a sign Trump administration efforts to constrain Russian hacking have been spotty at best

The hackers were able to access victims' email accounts and probably made off with reams of sensitive information about internal government deliberations. At the very least, the investigation and cleanup operation will continue well after President-elect Joe Biden takes office in January. 

“This is a big deal, and given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy, told my colleagues Ellen Nakashima and Craig Timberg. “When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.”

The breach prompted an emergency meeting Saturday of the National Security Council, Reuters reported. The Department of Homeland Security issued a directive early this morning for government agencies to protect against the breach in probably the fastest-ever turnaround for such an order. 

The Kremlin denied involvement in a statement. 

The scope of the breach could be staggering. 

It was conducted by a division of Russia’s SVR intelligence service cybersecurity agencies have dubbed APT29 or Cozy Bear and was part of the same operation that compromised the cybersecurity firm FireEye, which was revealed last week, Ellen and Craig report. That’s the same group that hacked the White House and State Department during the Obama administration and it was among the groups responsible for hacking the Democratic National Committee in 2016, though it was not responsible for leaking DNC emails to the public.

FireEye and the government agencies were breached through a network management system called SolarWinds, which has extensive contracts throughout government and industry, offering a map of potential victims.

A list of SolarWinds customers on its website includes all branches of the U.S. military, government agencies including the National Security Agency and the Executive Office of the President. It also includes “more than 425 of the U.S. Fortune 500,” as well as all of the top 10 U.S. telecommunications companies and the top five accounting firms. 

“A lot will depend on what we learn this week,” former NSA hacker Jake Williams told me, saying he fears the hackers could have reached into many more government agencies than is currently known. 

Here’s more from Reuters’s Chris Bing, who first broke news of the breach:

SolarWinds said in a statement that the breach was “the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state” and that it is working with FireEye, the intelligence community and law enforcement on an investigation.

Trump White House officials have boasted about taking a more aggressive posture in cyberspace, which they said would help keep Russia and other adversaries at bay. 

But clearly Russia wasn’t deterred. 

During a notable 2018 speech at a DHS cybersecurity conference, Vice President Pence blamed an earlier string of Russian attacks on the Obama administration opting for “silence and paralysis over strength and action" and claimed the previous administration “let the American people down when it came to cyber defense." 

He pledged that under Trump, "The American people demand and deserve the strongest possible defense and we will give it to them."

The administration's efforts were also often undermined by Trump himself, who repeatedly expressed doubts Russia interfered in the 2016 election and even discussed cooperating on cybersecurity with Russian President Vladimir Putin. 

“One thing that’s totally clear is that we haven’t been strong enough in punching back against Russian interference and that’s been a weakness during the Trump administration because he doesn’t really want to confront Russia. Other countries, yes, but Russia, no,” Chris Painter, a State Department cyber-coordinator during the Obama administration and the first months of Trump’s term, told me. 

“There’s been a lot of good activity from different agencies, but it hasn’t been woven together from the top,” he said. 

Trump tweeted past midnight with unfounded claims his election loss was illegitimate and on other topics but did not mention the breach. 

The administration also handicapped its response by hollowing out some of the government’s top cybersecurity offices. 

Most significantly, Trump fired Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA), last month after Krebs defended the integrity of the election.

Three other top CISA officials have either resigned or are on their way out. 

Krebs would have led the government’s effort to oust the hackers and protect against their return as well as contacting companies in critical sectors that might have been affected by the same hacking campaign.

That outreach will be far tougher with him gone

“So much of the public-private partnership [in cybersecurity] is built on trust, and it’s not trusting government, it’s trusting people in government,” Williams said. “It’s impossible to measure the fallout of the scuttling of those figureheads on the response.”

Here’s how Krebs responded on Twitter: 

During the past four years, the Trump administration also eliminated a White House cyber-coordinator position that would have led overall government efforts to respond to the breach, and a State Department cyber-coordinator position that would have been at the forefront of organizing any international response. 

Congress mandated that the White House appoint a new cyber director in a recently passed defense bill, but Trump has pledged to veto the bill because of complaints, including plans to rename military bases that are named for Confederate rebels. It appears Congress may have the votes to override Trump’s veto. 

“It speaks volumes for why [cybersecurity] needs to be a higher priority during the Biden administration,” Painter said. 

Here’s more from Mieke Eoyang, a former House Intelligence Committee staffer who’s now senior vice president of the Third Way think tank’s National Security Program. 

The keys

Gmail, YouTube and a slew of other Google products were down this morning. 

It’s not clear if there was anything malicious behind the outage, which started around 6:40 a.m. The outage was also affecting Google Assistant and Google Docs. 

Trump threatened again to veto a defense bill that’s vital for cybersecurity.

The president claimed in a tweet that  China is “the biggest winner” in the $741 billion legislation despite the fact that the bill focuses extensively on confronting China’s rise. That imperils a slew of cybersecurity funding related to ramping up state and federal defenses.

The tweet sets up a showdown between the president and Congress, which voted to send the defense bill to the president’s desk on Friday. Both the House and the Senate passed the bill with sufficient majorities to override a presidential veto, Karoun Demirjian reports

Trump has piled on reasons for rejecting the bill over the past month, including its mandate to appoint a national cyber director within the White House. The proposed position “increases bureaucracy and confuses cybersecurity policymaking,” the White House said in a statement

Huawei worked with several companies to develop surveillance products to identify ethnic minorities.

Chinese-language marketing materials on Huawei’s website showed partnerships with at least four companies that promoted ethnic-tracking capabilities, Eva Dou and Drew Harwell report.

The company is already facing scrutiny over its human rights practices after The Washington Post first reported last week its partnership with a Chinese firm to design a Uighur alarm allegedly capable of identifying members of the Muslim minority group.

Several of the companies Huawei partnered with were sanctioned by the U.S. Commerce Department last year for working with the Chinese government on the surveillance of Uighurs. The company already faces national security scrutiny from the U.S. government over concerns its telecommunication systems could aid Chinese government spying. 

A Huawei spokesperson denounced language in the document outlining the Uighur alarm, saying the language used was completely unacceptable.

“We take the allegations in The Washington Post’s article very seriously and are investigating the issues raised within,” a Huawei spokesperson said in a statement to The Post. We do not develop or sell systems that identify people by their ethnic group, and we do not condone the use of our technologies to discriminate against or oppress members of any community.” 

School districts are buying phone-hacking technology typically used by law enforcement. 

One of the companies selling such technology is Cellebrite, which has racked up millions in FBI and state law enforcement contracts, Tom McKay and Dhruv Mehrotra at Gizmodo report.

A Gizmodo review of eight school districts found that administrators paid as much as $11,582 for tech to siphon phone data. Seven of the districts identified by Gizmodo were in Texas. 

The Los Angeles Unified School District, which represents over 630,000 students and is the second-largest school district in the country, also purchased Cellebrite software. A spokesperson for the school district told Gizmodo that the software is used to investigate misconduct ranging from financial fraud to sexual abuse.

Unlike law enforcement, which need a warrant to access a suspect’s phone, schools can generally search student property any time they think the student violated the law or school policy. Experts worry those broad powers paired with the new technology could lead to violations of students’ privacy and potential racial profiling.

“The problem is as much with the legal standards as with the technology,” said Barbara Fedders, an assistant professor of law at the University of North Carolina at Chapel Hill, who focuses on the intersection of criminal law and school discipline. “Schools take students’ cellphones for all kinds of reasons, not because they think they are doing anything pernicious; you can see where racial bias could factor into this.”

Securing the ballot

The electoral college will meet today to confirm Biden’s victory. 

Both chambers of Congress will convene on Jan. 6 to finalize the vote count.

The meeting comes on the heels of two more failed legal challenges from Trump to overturn the results of the election. 

The Georgia Supreme Court on Saturday rejected his campaign’s request to overturn the state’s election results. On Friday, the U.S. Supreme Court dismissed a separate bid by the state of Texas to overturn results in Georgia, Michigan, Pennsylvania and Wisconsin, Robert Barnes reports.

Chat room

Johns Hopkins cryptographer Matthew Green asked: What could you do with $50 million to improve supply-chain attacks against the United States?

Dmitri Alperovitch, chairman at Silverado Policy Accelerator:

Dan Tentler, founder of Phobos Group.

Daybook

  • The National Academies of Sciences, Engineering, and Medicine’s Committee on Science, Technology, and Law is holding a panel  on “Election Security: Lessons Learned from 2020” today at 1p.m.
  • The Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled, “Examining Irregularities in the 2020 Election” on Wednesday at 10 a.m.


 

Secure log off