The attackers who exploited a security flaw in SolarWinds’ Orion network monitoring software to breach government agencies and large companies were almost certainly acting on behalf of a nation-state. While most official sources have not yet named the country behind the breaches, many have pointed the finger at Russia, specifically at a group known as APT29, or Cozy Bear, part of Russia’s SVR foreign intelligence service.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Regular cybercriminals can be brought to justice if discovered and apprehended. But when the culprit is another country or one sponsored by another government, how should the targeted nations react? How does a country like the US respond, both defensively and offensively, to a Russia (or a China or a North Korea) in the event of such an attack?
The cyberattacks have sent shockwaves across the US government, leading the Cybersecurity and Infrastructure Security Agency (CISA) to label the incident as posing a “grave risk” to the federal, state, and local governments as well as to critical infrastructure providers and the private sector. Key security agencies and personnel in the US government have feverishly been discussing how this breach could have happened and how to deal with it.
One response has to be a greater, ongoing focus on preventing these types of attacks, even when the country is concerned with other matters. The attackers knew not only how to strike but when. They chose a time when the US was preoccupied with protecting its 2020 election from foreign interference, grappling with the coronavirus, trying to spearhead a vaccine, and of course, hampered by dysfunction and discord within the White House and Congress.
That last point is especially key during these times. The divisiveness and ineffectiveness within the highest ranks of the US government is almost taken for granted. But these have real-world consequences, ones that adversarial nations are all too happy to exploit.
Even as Secretary of State Mike Pompeo stated in an interview that it was pretty clear the Russians engaged in these cyberattacks, outgoing president Donald Trump was casting doubt on that conclusion. In one of his many tweets, Trump downplayed the possibility of Russia as behind the breach and twisted the matter into his usual diatribe that he actually won this year’s election. An administration so fraught with conflict and confusion leaves the country ripe for cyberattack.
“This has become an issue of national importance that will benefit from strong presidential leadership, whether we’re talking about the next four weeks or the next four years,” Microsoft president Brad Smith said in an interview with NPR. “This is really a moment of reckoning. It highlights weaknesses in the nation’s defenses. It shows us where we need to strengthen our laws. It indicates where we need strong collaboration with America’s allies to hold these kinds of nation-state attackers accountable.”
Beyond a more concerted focus on security and a more competent and effective political administration, what else can a country like the US do to thwart these types of attacks? Sanctions against the offending nation are always a potential measure.
“Following the Russian disinformation campaign to influence US elections and hacking of the Democratic National Convention in 2016, the US government responded by announcing sanctions against Russia and expelling Russian diplomats operating at embassies in the US,” Austin Merritt, cyber threat intelligence analyst at Digital Shadows, told Tech Republic.
“The measures were implemented to warn those responsible that cyberattacks on the US will not go without consequence,” Merritt said. “It’s realistically possible that the US government would consider similar measures to respond to a cyberattack of this magnitude perpetrated by a nation-state threat actor.”
In his NPR interview, Smith also mentioned the possibility of sanctions. Asked how to hold the perpetrators accountable, Smith said that it starts with clear public attribution, followed by consequences.
“There are many tools, from economic sanctions to deterrence measures,” Smith said. “We saw, especially in the federal government, great leadership to protect our elections. Now let’s apply that to these other cybersecurity issues, as well.”
However, waging cyber warfare through sanctions and other deterrents will do little if the country’s own defenses are still lacking.
“Attribution and retribution are the most difficult tasks in cybersecurity, as the danger of escalation or expansion to another adversary is high, or in worst case a neutral or friendly state is innocently targeted by a hack back attempt,” said Dirk Schrader, global VP at New Net Technologies.
“Offensive responses will accelerate this race and the fallout of future attacks might well be felt by millions of citizens,” Schrader said. “The defensive reaction is around the notion of ‘clean source,’ that is to establish cyber resilience to the software development process and the SW supply chain from open source libraries used by a software vendor all along to the end user deploying and updating the vendor’s products.”
This opinion is echoed by Jack Mannino, CEO at security firm nVisium.
“The US should devote additional time, money, and energy into shoring up defenses across the software supply chain rather than waging online wars,” Mannino said. “Clearly, deterrents aren’t working, and our software and systems are as porous as they’ve ever been. Defense and open information sharing for indicators of compromise will ultimately prove more effective long-term than engaging in cyber playground fights.”