ON SEPTEMBER 25TH Russia’s president, Vladimir Putin, warned that “one of the main strategic challenges of our time is the risk of a large-scale confrontation in the digital sphere”. He proffered a solution. “In a mutually acceptable form,” he said, Russia and America would “exchange guarantees of non-interference in each other’s internal affairs, including electoral processes, including using ICT and high-tech methods”—in other words, a cyber-truce. Even as he spoke, a team of Russian hackers was apparently deep inside some of America’s most sensitive networks.
The team, known as APT29 or more evocatively as Cozy Bear, thought to be part of the SVR, Russia’s foreign intelligence service, are reported by several media outlets to have penetrated America’s Treasury, Commerce and Homeland Security departments, among others, where they could read internal emails at will. One former cyber-security official says the intrusion is one of the largest he has ever seen. It is believed to be the latest front in a broader Russian campaign. In October America and Britain accused a different Russian hacking group—Fancy Bear—of a string of cyber-attacks during 2015-19 against everything from Ukraine’s power grid to the Winter Olympics in South Korea.
The latest intrusion took a circuitous route. The malware used by the attackers hitches a ride on a legitimate piece of software called Orion, a tool written by SolarWinds, a Texan company that helps organisations monitor their computer networks. Somehow, the attackers gained access to SolarWinds’ computers. Between March and June this year, the company posted official software updates containing the malware. Once downloaded, the software can impersonate an organisation’s system administrators, who typically have the run of the entire network.
SolarWinds says that “this vulnerability is the result of a highly sophisticated, targeted…attack by a nation state”. According to FireEye, a cyber-security firm that was also a target, the malware lies dormant for two weeks and then cleverly funnels away data by disguising it as legitimate network traffic, while also parrying anti-virus tools. This is “really good tradecraft”, notes Dmitri Alperovitch of the Silverado Policy Accelerator, who was previously at CrowdStrike, another cyber-security company. “They brought their A-game,” he adds. A key question in any investigation is likely to be how the state in question compromised Orion in the first place.
However it was done, subverting software updates is a good strategy. Standard security advice, after all, is to install them as soon as possible. This is not the first time it has been used. The NotPetya malware in 2017, which spread worldwide, used compromised updates from a Ukranian maker of tax-accounting software. In 2012 researchers discovered that attackers, presumed to be Western, had found a way to cryptographically impersonate Microsoft, allowing them to push malware-laden software to the company’s customers in Iran. The latest intrusion does not seem to be quite that fancy, but it is cunningly written and goes to considerable lengths to hide its presence from its targets. On December 13th America’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency order instructing federal agencies to disable SolarWinds software immediately, “the only known mitigation measure currently available”.
Orion’s ubiquity may explain why so many organisations appear to be affected. The hackers would have had their “pick of targets across government and the private sector worldwide”, says Mr Alperovitch. For now, at least, cyber-security experts think most are merely collateral damage, and were not deliberate targets. That is one downside of choosing software updates as an attack path: if the software is used widely, then many different companies will be infected, which raises the likelihood of detection.
America’s ability to muster a response to the intrusions is unlikely to be helped by President Donald Trump’s dismissal, on November 17th, of Chris Krebs, the head of CISA, for publicly affirming the integrity of the presidential election. Two years ago, moreover, Mr Trump eliminated the role of White House cyber-security co-ordinator. The president has also resisted public criticism of Russia and played down its cyber operations. In 2017 he floated the idea of a joint American-Russian “impenetrable Cyber Security unit” to guard against “election hacking” and “many other negative things”, to the bemusement and dismay of his own officials. Yet the problem of large-scale cyber-intrusions is one that predates Mr Trump and will vex his successor, Joe Biden.
Over the past decade, America tended to categorise and respond to cyber-attacks according to their aims. It regarded intrusions intended to steal secrets—in other words, old-fashioned espionage—as fair game, not least because its own National Security Agency (NSA) is a prolific thief. After China stole 22m security-clearance records from America’s Office of Personnel Management (OPM) in 2015, Michael Hayden, a former NSA chief, conceded that it was “legitimate” and “honourable espionage work”. In contrast, attacks intended to cause harm, like Russia’s dissemination of hacked emails during the 2016 elections, or those with commercial motivations, like China’s theft of industrial secrets, were thought to cross a line. America has accordingly indicted and imposed sanctions on scores of Russian, Chinese, North Korean and Iranian hackers.
Yet this American effort to stamp norms onto a largely covert and chaotic arena of competition has been largely unsuccessful. For one thing, it is not always simple to define what is “honourable”, in Mr Hayden’s parlance, and what is not. If stealing a policy document is kosher, why not a vaccine? America and its allies may perceive a clear line between stealing secrets to deepen understanding and pilfering them for material or technological gain; adversaries need not accept such fine ethical compartmentalisation. Another issue is that the line between espionage and subversion can also become blurred: is Russia stealing emails to understand American policy, or to publish them later? It is not always clear until after the fact.
Though human agents remain important—and are vital to some cyber-operations—the role of espionage over computer networks has grown steadily more important, permitting intelligence-gathering on a scale that was previously impossible. Though America has been as much a beneficiary of this intelligence revolution as it has been a victim, its views have shifted in recent years. It has grown more aggressive, contesting adversaries inside their own networks and striking back at a wider range of provocations. American views of “what’s allowed in cyberspace have changed” since the OPM breach five years ago, says Max Smeets of the Centre for Security Studies in Zurich. Such large-scale espionage “would be now at the top of the list of operations that they would deem as unacceptable”, he suggests.
What is clear is that, apart from erecting sturdier cyber-defences, America can no more wall itself off from attack than it could quell KGB recruitment during the cold war. Neither punishment nor pacts, like the one Mr Putin proposed, will work. “Deterrence is mostly irrelevant in an intelligence contest,” writes Joshua Rovner of the American University in Washington, who was a scholar-in-residence at the NSA in 2018-19. “No combination of threats and promises will stop a rival intelligence service from collecting information.”