The media is overly excited about the Russian hacking using the SolarWinds update process.
First, was it Russia?
It seems likely that it was Russia, but not certain. Anyone who is good enough to develop the
SolarWinds hack would be smart enough to cover his tracks. He may not have covered them perfectly, and
we may be able to track down the hacker, but he may also have successfully
covered his tracks. He could be a
Chinese hacker who copied the trademark signatures of the Russian hackers and
who routed his hacks through Russian servers or websites. It could be a hacker anywhere who did the same
thing. It requires computer expertise,
but there are a lot of computer geniuses out there, including in the Middle
East and Latin America. I am surprised
that no one has mentioned Edward Snowden in connection with the hacking. He is a computer genius living in Russia who
knows American computer security extremely well. Is it possible that the Russians have gotten
some help from him?
Second, I think that whatever this was, it was not an attack
or the start of a war. It looks more
like intelligence gathering and testing of hacking techniques. The test worked pretty well, since it went
undetected for six months, but of course there may be other hacks out there
that have been even more successful and have still not been detected. In any case, nothing major has been
damaged. They have not even emulated the
ransomware hackers, who have captured and held important data from hospitals
and government offices for ransom. They
have not shut down the electric grid or turned off the water or sewage
treatment in any cities.
I doubt that the hackers knew exactly what organizations
they were going to be hacking into. They
knew that SolarWinds had lots of important clients, but they probably weren’t
sure exactly which ones they would end up getting access to. They may have succeeded far beyond their
expectations, or it might have gone exactly as planned. We don’t know. Were their main targets government agencies,
or private companies? We don’t
know. The fact that the hackers did not
steal money indicates to me that they were probably government-backed, and not
private citizens hacking for fun and profit.
Sen. Mitt Romney compared the hack to the US invasion of
Iraq, when we took out many of Iraq’s communications hubs with our
missiles. I do not think this is an
appropriate comparison. The hackers did
not use their weapons, if indeed they have weapons that could bring down
facilities in the US. It was like
developing and demonstrating new missiles, putting the enemy on notice that you
have these capabilities and can use them if you choose to. But they (whoever they are) have not chosen
to. But just as Saddam should have been
wary of provoking the US, we should beware of provoking these hackers.
As nations develop new weapons they often turn to arms control
to prevent the new weapons from leading to war.
We don’t have much experience with arms control type agreements for
computer hacking, but some of the same principles apply, like Reagan’s maxim, “Trust
buy verify.” I am not sure how you
verify an agreement to control hacking. Bombs
and missiles usually need to be tested in the open, where detection by
satellites or other means is often possible.
Hackers can experiment on their own internal networks, which may be
difficult or impossible for outsiders to monitor. Of course the best test would be to see if
you can penetrate the actual defenses of the country or business you might want
to attack in the future.
Nevertheless, arms control agreements are like speed
limits. Not everyone obeys them, but
they set standards of behavior and provide a basis for at least discussing
violations, if not definitively proving and punishing them.
Another complication is non-state actors who hack for their
own personal purposes. It is a lot
easier for an individual or small group to hack into a network than it would be
for them to develop a bomb or missile. Governments
have developed systems for dealing with violent terrorists that are different from
those for dealing with other governments.
We already have criminal penalties for individual hackers although they
may be hard to apply to hackers operating from foreign countries.
I think it is worthwhile to begin discussions of some kind
of arms control agreement covering hacking to get some idea of what’s possible
and what’s not. In an ideal world
leading tech countries would work together to control individual bad actors and
well as to monitor each other’s conduct.