The digital attacker today is a nation state and not Matthew Broderick in ‘War Games.’
Give your feedback below or email firstname.lastname@example.org.
“ SolarWinds hack explained” is a popular internet search term. Sadly, very little has yet been explained.
The words “inside job” have been bandied mainly on expert blogs and online forums, not yet in the mainstream press. But we might suspect the human factor will turn out to have played a key role. Edward Snowden was the security flaw that led to a previous government data disaster. John Podesta was the unwitting flaw that put Democratic campaign emails in the hands of presumptively Russian hackers.
Software code and network systems may have inherent vulnerabilities but as systems become more complex and harder to penetrate, corrupting or fooling an authorized human will increasingly be the cost-effective avenue of attack. Once upon a time, we could tell ourselves any holes in our network systems were bound to be discovered and exploited. Not unreasonably, our sotto voce response was: Thanks for letting us know. Praise God the vulnerability was discovered sooner rather than later.
Industrial-strength corruption and sabotage of networks by state actors is the concern now. Closing holes is still important but more important will be deterring and shaping the incentives of attackers.
A security expert tells Reuters he alerted the Texas company SolarWinds last year to a sloppy password vulnerability, but Reuters was quick to add the defect didn’t play a role in the latest attack. Its perpetrator likely had no place in his plan for serendipity; his goal from the start was to target and break a specific company because its software offered access to the networks of thousands of other companies and government agencies.
Russia is the likely culprit according to Secretary of State Mike Pompeo and others. A blog post by Microsoft President Brad Smith is widely quoted in press accounts, urging cooperation between government and private firms to detect and fight off intrusions, which is fine but ought to be a secondary concern.
The SolarWinds hackers did not seek to disable the systems they accessed as North Korea did in its 2014 Sony hack. To Russia, the cost would have outweighed the potential benefit, since the U.S. was expected to be able to identify and retaliate against such an attacker.
Incentive and deterrence, the usual tools of statecraft, are working here even if we don’t see it. Indeed, only after it was discovered did the latest attack likely begin to serve its deepest purpose for Russia: to intimidate and coerce U.S. elites. On the media hysteria front Russia may be winning the spy vs. spy wars. On every other front Russia has been losing. The mysterious “Panama Papers” and “Paradise Papers” leak of banking documents in 2016 and 2017 was plainly seen by the Kremlin as a Western attempt to embarrass Vladimir Putin and his financial cronies. This month a trove of 16-year-old emails came into public view showing how one of Mr. Putin’s crony scions, Kirill Shamalov, became an overnight billionaire after marrying Mr. Putin’s daughter.
Russia’s hands behind the Malaysian airliner shootdown, the polonium murder of a Russian émigré in the U.K., the attempted murder of another with a nerve agent, were all exposed with ease in the world press. Even the names and photos of individual suspects were published. In the past few days, the private outfit Bellingcat exploited the corruption of Russia’s domestic data markets to name and persuasively describe the activities of the Russian agents allegedly involved in August’s attempted murder of opposition politician Alexander Navalny.
Looming over all, the role of Kremlin agents in a 1999 spate of domestic terrorist bombings that cemented Mr. Putin’s rise has been extensively revealed in the public domain. Awaited is only a Western government’s or intelligence agency’s decision to out Mr. Putin for the crime.
Let’s use the right word, with the right associations—not hacker but attacker. If Russia is the culprit, the regime’s second-greatest sensitivity (after its inability to keep secrets) is sanctions that prevent regime favorites from traveling in the West and securing their wealth under Western laws. Sanctions work, contrary to shibboleth: Governments carefully weigh the potential costs of their actions even if those costs don’t always deter them. So maybe arrest a few children of Russian oligarchs living in the West as accessories to money laundering. Maybe seize a few yachts and Fifth Avenue mansions. Make sure the names of Russian cybercriminals appear conspicuously on the terrorist lists from which names occasionally disappear for drone-related reasons.
Matthew Broderick in “WarGames” isn’t the prototype. When the hacker we worried about was the random teenager we could never identify in advance, investment in defense was the way to go. The problem is different now. Russia needs to be kept in its place, with a punch in the nose if necessary, not least because the real long-term challenge is China. Russia is stuck with a leader who, with options limited, is focused on regime survival above all, at the expense even of Russia’s national interests. The Russian people will be among the beneficiaries of setting limits on his behavior.