with Tonya Riley
“This really reinforced the need to double down on our cyber defensive strategy,” Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, told me.
The breach is highlighting how years of efforts to create state-of-the-art cybersecurity protections within government have nevertheless failed to keep out sophisticated Russian hackers who’ve also been improving their game.
Notably, the government has fallen behind at keeping tabs on the vast supply chain of technology that runs its computer systems, making it more vulnerable to attacks such as the recent one, which began with Russian hackers breaking into the Texas software company SolarWinds. The hackers then sent corrupted updates to customers including the State, Treasury, Commerce and Homeland Security departments, and probably to many other government agencies and companies as well.
“It’s going to take far too long for the executive branch to inventory precisely where Orion [the SolarWinds system] is deployed and utilized and that demonstrates the critical importance of supply chain security,” Langevin said.
The hack also shows how the private sector’s cybersecurity savvy has arguably improved faster than the government's.
It was the cybersecurity company FireEye, after all, that spotted the Russian campaign, not the National Security Agency or another government agency.
“For people in Washington who believed that Fort Meade is the center of everything cyber in the U.S., this is going to be a shock,” Jason Healey, a former White House cybersecurity official who’s now a senior research scholar at Columbia University’s School for International and Public Affairs, told me. “It was the private sector that caught this and it’s primarily the private sector that has the capability here.”
Some of the earliest concern has focused on a $6 billion cybersecurity detection system known as Einstein.
That system is run by DHS and was designed to alert the agency when hackers were trying to infiltrate government systems. But it was designed only to find malicious software the government already knows about, as my colleagues Craig Timberg and Ellen Nakashima report. That allowed the Russian malware, which DHS was unaware of, to sneak in.
As of 2018, the government was planning an Einstein update that might have caught the hack — a system designed to spot when computers aren’t infected with known malware but are acting in a way that suggest they might be compromised, such as connecting to new and unknown IP addresses that might be controlled by hackers. That update was slated for 2022, according to a report from the Government Accountability Office.
“It’s fair to say that Einstein wasn’t designed properly,” Thomas Bossert, a top cybersecurity official in the George W. Bush and Trump administrations, told my colleagues. He called it a “management failure.”
Sen. Ron Wyden (D-Ore.), was more critical. “DHS spent billions of taxpayer dollars on cyber defenses and all it got in return as a lemon with a catchy name,” said Wyden, a member of the Senate Intelligence Committee. “Despite warnings by government watchdogs, this administration failed to promptly deploy technology necessary to identify suspicious traffic and catch hackers using new tools and new servers.”
Once DHS learned of the hacking campaign, it loaded indicators of the activity into Einstein to help identify breaches on agency networks, Sara Sendek, a spokeswoman for the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), told my colleagues.
Some lawmakers are also expressing concern about another DHS program called Continuous Diagnostics and Mitigation. That’s essentially a suite of preapproved cybersecurity tools DHS okays for use by federal agencies. Here’s more from Politico’s Eric Geller:
CDM point is worth considering. What IS the value of such an expensive program if it can't catch the attacks that represent the biggest threat?
— Eric Geller (@ericgeller) December 15, 2020
Then again, is it fair to judge CDM by its failure to catch what everyone agrees is an outlier attack, a super-sophisticated scheme?
Langevin, however, defended both programs, saying they'd successfully kept out a range of digital threats and were only outsmarted by a highly sophisticated and elaborate Russian campaign that likely took years of effort.
“I wouldn’t say this was a failure of government programs,” he said. “They pulled off something no one else has been able to pull off…It took a determined, sophisticated adversary, which clearly is what we have in Russia.”
Yet, the breach also comes after four years during which the Trump White House focused far more on punching back against hackers from Russia and elsewhere than on improving cyber defenses.
“Trump went far in the direction of … the best defense is a good offense,” Healey said. “Hopefully we can get back to where a good defense is a good defense and focusing on improving cybersecurity as a whole so attacks become harder.”
Lawmakers are also pushing changes that would improve the government’s response to such breaches.
A major defense bill that’s sitting on President Trump’s desk would create the role of a national cyber director who would lead such efforts. Trump, who has threatened to veto the defense bill, eliminated a similar but less powerful position in 2018.
“There’s no doubt that it would be helpful if we had a quarterback in the White House now,” Langevin said.
Alex Stamos, a former chief cybersecurity official at Facebook and Yahoo, argued in a Post op-ed for going a step further and creating a government group similar to the National Transportation Safety Board to review major breaches and recommend changes so they don’t happen again. Stamos is now director of the Stanford Internet Observatory.
The government response so far has been somewhat scattershot.
CISA issued an emergency directive ordering agencies to find instances of the targeted software on their networks. But some agencies missed a Monday deadline to report back and it’s still not clear how many government agencies were compromised.
CISA also is working without most of its top leadership after Trump fired director Christopher Krebs for defending the integrity of the election and several other top leaders resigned under pressure or by choice. That has left acting director Brandon Wales to shoulder a large part of the operation.
National security adviser Robert O’Brien announced late yesterday he is cutting short a European tour to come back and coordinate the response. That came several hours after the National Security Council announced it was creating a Cyber Unified Coordination Group to manage the response.
Finally, the breach is raising questions about whether the government is making the right calls on broader cybersecurity policies.
The Justice Department, for example, has been pushing for years for special access to encrypted communications with a warrant so it can better track criminals communicating online.
But the government’s failures to protect its own networks raise serious questions about whether it could ensure such special access didn’t also give criminals or foreign spy agencies broad access to people’s private communications.
Here’s more from Eva Galperin, cybersecurity director at the Electronic Frontier Foundation:
I'm saving my "What about SolarWinds?" for the next time the FBI tries to tell me that backdooring end-to-end encryption will be fine because the US government will protect the keys.
— Eva (@evacide) December 15, 2020
The keys
Ousted CISA leader Krebs will testify before a Senate committee about the security of the 2020 election.
Krebs will testify alongside officials including Francis X. Ryan, a Pennsylvania state official and Trump supporter, who has sued to reverse President-elect Joe Biden’s win in the state.
The Senate Homeland Security and Governmental Affairs Committee hearing will look into claims from the Trump campaign and other Republicans about election fraud. Trump and his allies have been unable to prove any such fraud claims in more than 50 courts, and the electoral college formalized Biden’s victory Monday.
Witnesses also include Trump campaign lawyers Jesse R. Binnall and James R. Troupis, who pushed to invalidate election results in multiple states as well as Kenneth W. Starr, who defended Trump during his impeachment fight, and U.S. Election Assistance Commission Commissioner Donald Palmer.
Sen. Gary Peters (D-Mich.), the committee's top Democrat, said he was “appalled” by Republicans' choice to provide a forum to spread Trump's “lies and false narratives about the outcome of the 2020 election.”
Committee Chairman Ron Johnson (R-Wis.) has acknowledged Biden's victory, but told the Milwaukee Journal Sentinel the hearing is to discuss “what controls there are in place, what fraud does occur, what can we do to prevent fraud in the future."
Here's more on what to watch for at the hearing from election security expert David Levine:
1/ While the witness list includes @C_C_Krebs and @VotingGuy, both of whom played important roles in helping secure #election2020, it includes no others who serve on the front lines of elections, such as state and local election officials, vendors, and other federal partners.
— David Levine (@davidalanlevine) December 15, 2020
3/As the Senators, witnesses and others prepare for tomorrow's hearing, they should be mindful of the fact that any false claims of election irregularities could cast further doubt on the legitimacy of #Election2020.
— David Levine (@davidalanlevine) December 15, 2020
Top investors in SolarWinds sold millions in stock days before the company announced hackers breached its software.
The timing raises questions about when investors received information about the hack and whether they used that information to avoid major losses, Drew Harwell and Douglas MacMillan report. The company's stock has plunged about 22 percent since the Texas-based company disclosed that its software created a backdoor for Russian hackers.
The concerns could spark an investigation by financial regulators.
“Of course the SEC is going to look at that,” said Jacob S. Frenkel, a former senior counsel in the SEC’s Division of Enforcement. “Large trades in advance of a major announcement, then an announcement: That is a formula for an insider trading investigation.”
Two of the firms that traded stock owned 70 percent of SolarWinds and had control of six board seats, giving them key access. Trades also occurred just before the company announced its chief executive was resigning, which could flag further concerns.
A SolarWinds spokesman declined to discuss timing or answer further questions about the trades. A spokeswoman for the SEC, also declined to comment.
Individuals affiliated with the French military ran Facebook influence operations that scuffled with Russian trolls.
The two nations created fake groups, pages and Instagram accounts seeking to influence politics in central and West Africa, Craig Timberg reports. Facebook announced the takedown of the pages yesterday.
It’s a rare discovery of rival influence operations from two countries duking it out to influence a third nation, researchers from Graphika and the Stanford Internet observatory noted in a report Tuesday. The accounts took aim at each other by accusing the other of being fake and attacking each other's governments.
The takedown is also the first time the social media giant has called out people affiliated with a Western government for suspected inauthentic behavior. Facebook did not have evidence that the French military directed the users. The Russian accounts belong to people once affiliated with Russia’s Internet Research Agency, which interfered aggressively in the 2016 U.S. presidential election
The French network included 84 Facebook accounts and several groups and pages that posed as Africans supportive of French military action in former colonies. Russian accounts tried to influence opinions on the Dec. 27 election in the Central African Republic and pushed narratives about vaccines for covid-19.
“This shows that the U.S. is, by far, not the country with the worst foreign interference in our politics,” said Shelby Grossman, a research scholar at the Stanford Internet Observatory and co-author of the organization’s report on the Russian accounts.
Industry report
Stanford and UC-Berkeley cyber programs and 20 other institutions signed a pledge to end all- White male cybersecurity panel discussions.
The pledge requires signatories that are hosting or funding cybersecurity events to have at least one woman or member of an underrepresented community at panels of three or more speakers. Other groups that signed the pledge include the Atlantic Council, the company Rapid7 and the R Street Institute.
Five individuals also signed onto the letter including Camille Stewart, cybersecurity attorney and co-founder of #sharethemicincyber, a campaign to highlight the work of Black cybersecurity employees, and Suzanne Spaulding, who led DHS cybersecurity operations during the Obama administration and is now a senior adviser at the Center for Strategic and International Studies think tank.
“Cybersecurity is a global problem that necessitates wide-ranging dialogues with experts of all backgrounds, nationalities and career paths,” said Tatyana Bolton, R Street managing senior fellow for cybersecurity and emerging threats, who led the creation of the pledge. “In many ways, diversity is security.”
More cybersecurity news:
Daybook
- The Senate Homeland Security and Governmental Affairs Committee will hold a hearing titled, “Examining Irregularities in the 2020 Election” today at 10 a.m.
Secure log off
Help
1. What are computer
— Ed Zitron (@edzitron) December 15, 2020
2. How online
3. Who do computer bad
4. Computer??? How???
5. Computer https://t.co/lOooYjEZKl
Congrats to our friend at Politico Eric Geller on his attention-grabbing doors.
Leslie, welcome to cyber twitter, where we all mildly drag Eric from time to time
— Greg Otto (@gregotto) December 15, 2020