Engineering Ethics Blog: The SolarWinds Data Breach: Should We Care?


 

The
year 2020 will go down in history for a number of reasons, but the cherry on
the disaster cake hit the news in mid-December. 
Cybersecurity investigators discovered that some software provided by
the Austin, Texas network-monitoring software firm SolarWinds was
“trojaned” some time in early 2020. 
Hackers, later identified as Russian, managed to insert malware into an update
of Solar Winds’s popular network-monitoring software, and this allowed the
hackers to access customers’ emails and other supposedly secure data from around
March of 2020 until one of SolarWind’s customers noticed that someone had
stolen some of their cybersecurity tools, and notified the company.  In similar attacks, Microsoft software was
similarly compromised.

 

This
was a complicated and well-organized exploit, as the hackers focused their
attention on high-value targets such as government agencies.  Wikipedia’s article on the breach reads like
a list of a spy’s dream targets:  the Department
of Defense, the National Nuclear Security Administration, the National
Institutes of Health (in the midst of the COVID-19 pandemic, yet), the Department
of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the
Department of State, and the Department of the Treasury.  As in any spying operation, most of what they
got won’t be that useful to them, but some of it very well may be. 

 

Fortunately,
the hackers did not use their access to lock files or cause other disruptions
that might have drawn premature attention to what they were doing.  They were spying, not sabotaging.  But of course, what they learned may help
them commit sabotage in the future.  We
simply don’t know.

 

How
did this happen?  In the case of SolarWinds,
the hackers gained access to the firm’s “software-publishing
infrastructure” way back in October of 2019.  Clearly, the company’s own security measures
were insufficient to prevent this initial breach, which if caught could have stopped
the whole attack in its tracks.  But something
as simple as carelessness with passwords can allow hackers into a system.  Hacking is like burglary, in that ordinary
defenses stop the average burglar, but if a huge sophisticated gang decides to
focus on your house, there’s not a lot you can do to stop them.

 

And
SolarWinds was the focus of the Russian hacking group known as “Cozy
Bear” because of their critical place in the software supply chain.  Thousands of firms use their
network-monitoring software, which meant that “trojanizing” a
SolarWinds software update gave the hackers potential access to any of
SolarWinds’s customer’s systems.  And
that is exactly what happened.

 

Once
the breach was discovered last month, SolarWinds went public and warned its customers
of the problem.  But as one expert
interviewed on the breach put it, fixing the leaks that the hackers established
is like getting rid of bed bugs: 
sometimes they are so spread out that finding each individual bug is an
impossible task, and you have to burn the mattress.  The reason is that once the attackers got
into a system, they could wander around and establish more access points.  And stopping the original breach does nothing
about those access points, which can be hard to find.  So even though we know how the hackers got
in, it’s not going to be an easy matter making sure that they can’t keep spying
on their victims without throwing out a whole lot of software and starting over
from scratch.

 

What difference does all this make to the average Joe or
Jane?  If you don’t work for one of the
affected companies or agencies, should you even bother to put this on your
already-lengthy worry list? 

 

In itself, the breach’s consequences are unpredictable.  Governments keep some things secret for good
reasons, mostly, and when those secrets are revealed, bad things can
happen.  We are not currently in direct
hand-to-hand conflicts with Russia, but there are low-level military operations
going on all over the world, many of which the U. S. is involved in without the
knowledge of the general public.  As in
any military operation, intelligence about plans or proposed actions can be
used against you if it leaks, so for one thing, our military forces have been
put in a potentially bad situation.  But
again, it’s hard to tell yet.

 

During World War II, the Germans were largely unaware that
the Allies had breached their most-secure code system with the Turing-inspired
“bombes” of Bletchley Park, because any military advantage that the Allies’
decoding operations gave them was carefully disguised to look like luck.  So we can expect Russia to disguise any
advantages it’s attained from the Cozy Bear attacks similarly, although we now
know roughly what they’ve been up to. 

 

Institutions change slowly, and the old saying that generals
in a new war start out by fighting with the previous war’s weapons is still
true.  There will always be a need for
troops on the ground in some situations, but as more and more commerce and activity
of national importance takes place in cyberspace, future battles will also be
staged more and more in the digital realm. 

 

As we know from bitter experience in other areas of
engineering ethics, it usually takes a spectacular tragedy to inspire major
institutional change that could have prevented the tragedy in the first
place.  We have been relatively fortunate
that bad consequences from cyberattacks on U. S. targets have not approached the
magnitude of a 9/11, for example. 
Probably the worst ones have been ransomware attacks mounted by
apparently private criminal groups that shake down organizations for money,
usually in the form of bitcoin.  While
serious for the organizations targeted, these sorts of attacks have not up to
now appeared to be part of a coordinated terrorist-like systematic assault on
the nation’s infrastructure.

 

Such an attack could come at any time, however.  And the fact that Cozy Bear hackers were
reading the Pentagon’s mail for the last nine months does not inspire
confidence in the ability of our nation’s cyber-warfare personnel to prevent
such attacks.  Until we take cyberwarfare
fully as seriously, if not more seriously, than attacks with conventional
weapons, we are effectively inviting hackers to see what they can do to disrupt
life in the United States.  Let’s hope they
don’t try any time soon.

 

Sources:  I
referred to an article by Kara Carlson of the USA Today Network which appeared on
the Austin  American-Statesman‘s
website on Dec. 30 at https://www.statesman.com/story/business/2020/12/30/solarwinds-breach-could-shape-cybersecurity-future/3999961001/.  I also referred to a chronology of the
attacks on the channele2e website at https://www.channele2e.com/technology/security/solarwinds-orion-breach-hacking-incident-timeline-and-updated-details/,
and the Wikipedia article “
2020 United States federal government data
breach.”



Source link