Thursday, January 28, 2021

SolarWinds Is Not the 'Hack of the Century.' It’s Blowback for the NSA's Longtime Dominance of Cyberspace

Breathless coverage of the SolarWinds hack functions to manufacture consent for NSA's internet hegemony and to divert us from considering alternative models of security.


 Published on Wednesday, January 27, 2021
by Common Dreams
The National Security Agency (NSA) logo is shown on a computer screen inside the Threat Operations Center at the NSA in Fort Meade. U.S. President George W. Bush visited the ultra-secret National Security Agency on Wednesday to underscore the importance of his controversial order authorizing domestic surveillance without warrants. (Photo: Brooks Kraft LLC/Corbis via Getty Images)

The National Security Agency (NSA) logo is shown on a computer screen inside the Threat Operations Center at the NSA in Fort Meade. U.S. President George W. Bush visited the ultra-secret National Security Agency on Wednesday to underscore the importance of his controversial order authorizing domestic surveillance without warrants. (Photo: Brooks Kraft LLC/Corbis via Getty Images)

Last month, the private security firm FireEye discovered a widespread breach of government and corporate computer networks through a so-called "supply chain" exploit of the network management firm SolarWinds, conducted by nation-state-level hackers, widely thought to be Russia. Most coverage of the breach featured ominous headlines and quotes from current and former government officials describing it as the biggest hack of modern times. Occasionally, buried in one of the closing paragraphs, there was an official quoted admitting that, so far, only "business networks" were known to be compromised—sensitive but unclassified email systems and data on job descriptions and HR functions.

"Like our nuclear policy before it, the stated goal is deterrence, but the actual goal is to create a cover for unchecked aggression and dominance."

These stories lack context of the true state of cyber espionage over the last few decades. The SolarWinds hack is certainly a large and very damaging breach, but one could almost pick at random any five or ten of the hundreds of codename programs revealed in the Snowden documents that would top it. The mother of all supply chain attacks (that we know of publicly) may have been the clandestine American role behind CryptoAG—which allowed the NSA to sell scores of foreign governments broken cryptographic systems through which it was possible to crack the encryption on their top-level government and military communications for decades. And of course the first, and one of the only, actual cyberattacks in history was the Stuxnet program conducted by Israeli and American services against Iranian nuclear centrifuges.

Yet the American public may be left with the impression that Russian hacking poses a uniquely aggressive and destabilizing threat to the international order, and therefore must be punished. News coverage has been leadened with apoplectic quotes from senior officials and lawmakers that the breach represents "virtually a declaration of war," that we need to "get the ball out of their hands and go on offense," that "we must reserve our right to unilateral self-defense," and even that "all elements of national power must be placed on the table" (All elements? Tanks? Nuclear weapons?). This kind of hyperbolic reaction cannot be driven by sincere shock at the idea of a government hacking into and spying on another government’s networks. More plausibly, it is driven by outrage at the idea of any other nation challenging the United States' overwhelming dominance to date in network espionage.

The Pentagon has so far responded to the breach by proposing a rearrangement of the organizational chart for our cyber army. And if history is any guide, Congress will respond as they have to past intelligence failures: by throwing more money at the bureaucracy to feed its legion of private contractors. In other words: more of what contributed to this breach in the first place. The ever-growing feeding frenzy for beltway bandits not only increases the attack surface for foreign hackers, it ensures that Congress does not have the capacity (even if it had the will) to understand and oversee increasingly complex supply chains to ensure basic security standards for the very companies who will be called on to fix these vulnerabilities. Few were even aware of the ubiquity of SolarWinds presence across so many of our government networks, and the lax security practices of this key software provider have only come under scrutiny retroactively. According to reports, the update server for SolarWinds’ software ⁠— an incredibly sensitive key piece of any software supply chain ⁠— was publicly accessible by a default password that had leaked to the internet in 2019, and the company had been warned both by its employees and by independent security researchers.

Here another tragic irony emerges: whatever internal channels were used to warn of these security lapses were clearly not effective, but if a whistleblower had taken this kind of sensitive national security information to the press ⁠— publication of which perhaps could have forced action and prevented a major act of espionage against our government ⁠— they would have put themselves at risk of prosecution under the Espionage Act.

"If reports are true that Russia was behind SolarWinds, and was using its access to case physical infrastructure networks in the U.S., their motivation may have been to gain a small measure of deterrence against the overwhelming superiority of American offensive capabilities."

So while the pundits clamor for retaliation and Washington bickers about rearranging the desks at Fort Meade, we still do not get a debate on alternatives that might better serve the American people. In secret, and without public consultation, the NSA long ago decided to use our privileged position sitting atop the internet backbone not to secure it; to level up the safety of key systems for all its users (but to poke more holes in it); and to stockpile exploits and hoard vulnerabilities in order to dip its hands into nearly every network, communications protocol, and computer system of consequence on the planet, both foes and allies alike.

Even our defensive strategy has become a policy of aggression. Dubbed "defend forward," it has us maintaining backdoors and software implants on key infrastructure systems around the world, as a way of keeping a loaded gun pointed at any real or potential adversary. Like our nuclear policy before it, the stated goal is deterrence, but the actual goal is to create a cover for unchecked aggression and dominance. If reports are true that Russia was behind SolarWinds, and was using its access to case physical infrastructure networks in the U.S., their motivation may have been to gain a small measure of deterrence against the overwhelming superiority of American offensive capabilities.

The wisdom of such an aggressive posture towards the global internet was one of the key questions Edward Snowden posed to the public after his disclosures. We should not fail to consider it as we increasingly get a taste of what the rest of the world has been subjected to by American spies for decades.

Jesselyn Radack

Jesselyn Radack is a national security and human rights attorney who heads the 'Whistleblower & Source Protection' project at ExposeFacts. Follow her on Twitter: @JesselynRadack


William Neuheisel is a human rights and civil liberties analyst at WHISPeR. Follow him on Twitter: @wneuheisel

William Neuheisel is a human rights and civil liberties analyst at WHISPeR. Follow him on Twitter: @wneuheisel

No comments: