No, no and no again, says Andy Keiser. Put your weapons down.
The massive SolarWinds hack of US federal and private networks is not an “act of war,” he said, as lawmakers struggle to come to grips with the sheer magnitude of the cyber intrusion.
Espionage is not an act of war, said Keiser, a former top congressional intelligence staffer.
“Had they weaponized the attack — or if they attempt to later — that could be,” Keiser told Breaking Defense in an exclusive interview.
“To me, if you direct systems to create physical destruction or disrupt critical infrastructure, like an electric grid, using a cyber attack, that could be an act of war.”
“The depth and scope of the intrusion is breathtaking,” Keiser added. “The scariest thing is the Russians could, and almost certainly will, lurk deep inside of our nation’s most sensitive networks, including those holding nuclear secrets, for months, if not years.”
Over the past several years, the US invested billions of dollars in Einstein, a system designed to detect digital intrusions.
But because the SolarWinds hack was what’s known as a “supply chain” attack, in which Russia compromised a trusted tool rather than using known malware to break in, Einstein failed spectacularly, Wired reported.
The government can’t say it wasn’t warned; a 2018 report from the Government Accountability Office recommended that agencies — and federal defense systems more broadly — take the supply chain threat more seriously.
Meanwhile, the storm over a cyber attack only helps Russian President Vladimir Putin’s image at home as a strong leader, even as the Kremlin denies involvement amid fears of a backlash when Joe Biden enters the White House.
Why is this hack so bad?
Hackers believed to be working for the KGB’s successor agency, the SVR, slipped malware into a regular update to SolarWinds’ widely used cybersecurity software, Breaking Defense reported.
That gave them backdoors into every network using those SolarWinds tools, from private companies to the Pentagon to the builder and maintainer of nuclear weapons.
However, SolarWinds wasn’t used on networks carrying classified data, only on unclassified ones, Breaking Defense reported.
Indeed, the Energy Department on Friday clarified earlier reports to stress that the hackers only accessed “business networks” and “has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration.”
One insider confirmed that the nuclear weapons networks are separate from those “front facing” business operations networks, saying there is no need for anyone to “have their hair on fire.”
Nonetheless, highly skilled hackers can sometimes turn a foothold on one network into a jumping-off point to penetrate another — even if the two networks are physically separated by what’s known as an “air gap.”
“Don’t let anyone fool you,” said Terry Dunlap, a former NSA hacker who’s now Chief Security Officer at ReFirm Labs. “Classified data on a ‘different’ system can still be accessed, for example by air-gap jumping techniques.”
Arguably the most notorious example here is the Stuxnet virus — attributed to the US and Israel — which slipped from the Internet into the air-gapped network used by the Iranian nuclear program, Breaking Defense reported.
Once inside, Stuxnet sabotaged the software on centrifuges used to enrich uranium and caused many to spin themselves to the point of breakdown.
But here’s a huge distinction between Stuxnet and SolarWinds — at least, so far.
The SolarWinds hack doesn’t seem to have done any actual damage to either physical hardware or network functions — not exactly Pearl Harbor.
“Hacking like this — especially to this extent — might go beyond espionage, but we don’t really have anything to say it’s unlawful under international law,” said Australian-based legal expert Cassandra Steer. “And let’s be clear, the US has engaged in similar activity, just never to this extent” — again, consider Stuxnet.
And what if you don’t trust lawyers to tell you what war is? Well, you can consult your Clausewitz, the famous — and famously cynical — Prussian theorist of armed conflict.
He wouldn’t consider this “war” either, said Tom Mahnken, a veteran of long service in the Navy and civilian Pentagon posts who now heads the Center for Strategic & Budgetary Assessments.
Clausewitz defined war as “an act of force to compel our enemy to do our will,” Mahnken noted. “What remains essential to war is that it is meant to compel an adversary – to achieve political objectives. That’s not what this hack is about: It is a classic intelligence-gathering operation.”
Traveling around Europe as a student, Air Force acquisition chief Will Roper recalled, he saw plenty of ruined castles.
Their history, he said, proves that a single wall is never enough. In those castles Roper saw, the art of fortification included multiple lines of defense with multiple fallback positions, mottes and baileys, curtain walls and inner keeps.
“Just having a single perimeter that your adversary is never going to get through — if that’s your plan, there’s a burned castle in your future,” he said.
Sources: Breaking Defense, Wired, Bloomberg, CNN Business