As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims.  The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed.  Simply, the attackers compromised the infrastructure of SolarWinds, a U.S. company that develops software for organizations to manage their networks, systems, and information technology infrastructure.  Once they exploited the company’s Orion monitoring platform, the actors used that access to produce and distribute Trojanized updates to the end users and Orion customers, many of which are major U.S. government agencies, Fortune 500 customers, and high-profile business such as a private cyber security firm and Microsoft.

On the surface the expanse of the breach is extremely disconcerting, especially given the stature of the victims, their roles, and the potential information systems and the information resident on them that could be exploited.  It is easy to see how the potential compromise of entities in charge of foreign diplomacy, economic prosperity and financial security, and energy security and the management of nuclear weapons can provide valuable insight for a foreign adversary and their decision-making calculus.  At present, the breach appears to be cyber espionage-motivated in that the attackers seem to be more concerned with surveillance and information collection rather than the purposeful manipulation or disruption of information/information technology.  However, should the intent of the attackers change, espionage activities can quickly escalate to more destructive attacks.  One lingering question is what activities the attackers conducted once gaining access, as well as what information was searched for, stolen, and/or monitored.  Once inside a network such actors – particularly if they are state agents – typically move laterally and establish backdoors to bolster their presence on compromised networks.

The immediate question raised is how was this breach possible?  Cyber security has been consistently raised by nonpartisan groups like the Government Accountability Office that frequently survey the federal cyber security landscape, identifying problem areas and making recommendations.  In the past two years, the U.S. government has issued several cyber-related strategies including but not limited to the 2018 National Cyber Strategy, the 2018 Department of Defense Cyber Strategy, and  the 2018 Department of Homeland Security (DHS).  In the time leading up to the 2020 presidential elections, U.S. Cyber Command (CYBERCOM) and DHS were very active in monitoring for similar types of activities that plagued the 2016 election, with CYBERCOM taking more aggressive actions in certain instances to mitigate the threat.  But it appears that as the United States geared up to take on the Hydra of misinformation-disinformation-propaganda, it missed the stealthier, quiet threat from the very adversary it was certain would try to disrupt the election.

Perhaps equally disconcerting, is the fact that the larger U.S. cyber security apparatus did not detect the breach and was reliant upon a private cyber security firm to notify them of the sophisticated attack.  According to the New York Times, the National Security Agency (NSA) allegedly did not of the breach until it was notified by the private cyber security company.  If true, this is disappointing for an organization largely considered one of if not the premier intelligence agency in the United States.  Regardless, NSA quickly published an advisory detailing tactics, techniques, and procedures of the attack in order to enable organizations to detect the abuse of authentication mechanisms that facilitated the SolarWinds breach.

One alarming reaction to the SolarWinds breach is that many appear surprised that an attack of this sophistication – against the software supply chain – was successfully executed by a nation state believed to be Russia.  This is interesting given that the United States has had a national supply chain strategy in place since 2012 in which the fostering of “a global supply chain that is prepared for, and can withstand, evolving threats and hazards and can recover rapidly from disruptions’ was identified as an explicit goal.  When it comes to advanced state cyber actors, their ability to execute sophisticated attacks should not come as a surprise.  Just because much of suspected hostile state cyber activity that has been observed may not appear to be sophisticated (albeit, still successful), it is by no means representative of a state’s total capability.  It is only what’s been willingly exposed by the actors. The Stuxnet, Flame, Duqu, and Triton incidents are more indicative of an advanced state actor’s capabilities, and underscore what more thoughtful and planned activities can accomplish.  The SolarWinds breach will join this pantheon of top tier campaigns.

Russia has long been considered a near-peer adversary to the United States in cyber capability, assessed by the Director of National Intelligence to pose a cyber espionage, influence, and attack threat to the United States. More importantly, Moscow’s entire Information Confrontation strategy is rooted in the ability to execute on both a psychological level (e.g., election influence), as well as a technical level (e.g. compromise of systems to facilitate espionage).  The fact that this attack successfully compromised major U.S. civilian and military organizations is a testament to the time and care that went into research, planning, and execution.

The United States has espoused a “defend forward” mindset that actively takes the fight to the adversary rather than wait to react to their attacks.  Such actions proved successful against a more obvious threat such as a Russian troll farm during the 2019 midterm elections, and Iranian influence campaigns in the lead up to the 2020 election.  However, such successes have been limited and have not altered adversary behavior, particularly if the target(s) could yield significant intelligence gains.  The best defense is a good offense is an adage that has applicability across many fields of endeavor, but cybersecurity is not one of them. That is not to say that defense-forward measures don’t hold merit. They do.  But they are not a sweeping solution and will not certainly work for adversaries that continue to conduct operations to support the highest levels of their national interests.

Rethinking how to improve cybersecurity remains a riddle wrapped in a mystery, inside an enigma.  A massive breach impacting so many vital organizations like the one that happened with SolarWinds is clear evidence that our approach to mitigating threats in cyberspace is not working.  National strategies are important blueprints that chart paths forward.  The United States has both a cyber security strategy and a supply chain strategy in place.  But these documents are only as good as their implementation and auditing to ensure that stakeholders are meeting milestones and being held accountable if they don’t.  Every few years an update is provided, but they have thus far provided the necessary direction to address the types of attacks that continually exploit high value targets.  This approach needs a reset. Compliance and security failures must incur swift financial repercussion to encourage organizations to find ways of changing the status quo of their cyber security and remediation procedures.  A good way to start is at the budgets of these bureaucratic institutions, and through the strict oversight of how their money is spent and accounted.  Increased funding for cyber security is a start, but what would be more telling is showing how it was spent, what technologies have been purchased and implemented, what personnel has been hired to support cyber security, and most importantly, how these have directly contributed to the overall security posture.

What’s also clear is that a better balance must be achieved between the offense and defensive sides of the house, which means maintaining constant diligence, creative thinking, and a continuous loop of engagement.  Leaning too heavily in one direction has not yielded substantive improvements to our overall cyber security posture.  Shifting the focus of defense forward engagement might be more beneficial if it concentrates less on “hurting” the unseen adversary, and more on surreptitiously gleaning tactics, techniques, and procedures from would-be attackers prior to their conducting hostile activity in order to better inform and prepare network defenders.  After all, the best fishermen are those that learn the craft to support a lifetime of work, rather than wait for someone else to bring in the catch of the day.

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

For additional insights:

Russian Espionage Campaign: SolarWinds

Four National Security Experts Discuss Critical Technologies at OODAcon