Wednesday, December 23, 2020

Russian Hacking

The media is overly excited about the Russian hacking using the SolarWinds update process. 

First, was it Russia?  It seems likely that it was Russia, but not certain.  Anyone who is good enough to develop the SolarWinds hack would be smart enough to cover his tracks.  He may not have covered them perfectly, and we may be able to track down the hacker, but he may also have successfully covered his tracks.  He could be a Chinese hacker who copied the trademark signatures of the Russian hackers and who routed his hacks through Russian servers or websites.  It could be a hacker anywhere who did the same thing.  It requires computer expertise, but there are a lot of computer geniuses out there, including in the Middle East and Latin America.  I am surprised that no one has mentioned Edward Snowden in connection with the hacking.  He is a computer genius living in Russia who knows American computer security extremely well.  Is it possible that the Russians have gotten some help from him? 

Second, I think that whatever this was, it was not an attack or the start of a war.  It looks more like intelligence gathering and testing of hacking techniques.  The test worked pretty well, since it went undetected for six months, but of course there may be other hacks out there that have been even more successful and have still not been detected.  In any case, nothing major has been damaged.  They have not even emulated the ransomware hackers, who have captured and held important data from hospitals and government offices for ransom.  They have not shut down the electric grid or turned off the water or sewage treatment in any cities. 

I doubt that the hackers knew exactly what organizations they were going to be hacking into.  They knew that SolarWinds had lots of important clients, but they probably weren’t sure exactly which ones they would end up getting access to.  They may have succeeded far beyond their expectations, or it might have gone exactly as planned.  We don’t know.  Were their main targets government agencies, or private companies?  We don’t know.  The fact that the hackers did not steal money indicates to me that they were probably government-backed, and not private citizens hacking for fun and profit. 

Sen. Mitt Romney compared the hack to the US invasion of Iraq, when we took out many of Iraq’s communications hubs with our missiles.  I do not think this is an appropriate comparison.  The hackers did not use their weapons, if indeed they have weapons that could bring down facilities in the US.  It was like developing and demonstrating new missiles, putting the enemy on notice that you have these capabilities and can use them if you choose to.  But they (whoever they are) have not chosen to.  But just as Saddam should have been wary of provoking the US, we should beware of provoking these hackers. 

As nations develop new weapons they often turn to arms control to prevent the new weapons from leading to war.  We don’t have much experience with arms control type agreements for computer hacking, but some of the same principles apply, like Reagan’s maxim, “Trust buy verify.”  I am not sure how you verify an agreement to control hacking.  Bombs and missiles usually need to be tested in the open, where detection by satellites or other means is often possible.  Hackers can experiment on their own internal networks, which may be difficult or impossible for outsiders to monitor.  Of course the best test would be to see if you can penetrate the actual defenses of the country or business you might want to attack in the future. 

Nevertheless, arms control agreements are like speed limits.  Not everyone obeys them, but they set standards of behavior and provide a basis for at least discussing violations, if not definitively proving and punishing them. 

Another complication is non-state actors who hack for their own personal purposes.  It is a lot easier for an individual or small group to hack into a network than it would be for them to develop a bomb or missile.  Governments have developed systems for dealing with violent terrorists that are different from those for dealing with other governments.  We already have criminal penalties for individual hackers although they may be hard to apply to hackers operating from foreign countries. 

I think it is worthwhile to begin discussions of some kind of arms control agreement covering hacking to get some idea of what’s possible and what’s not.  In an ideal world leading tech countries would work together to control individual bad actors and well as to monitor each other’s conduct. 

No comments: