On this week’s Political Gabfest, David Plotz, Emily Bazelon, and John Dickerson talked with Alex Stamos, director of the Stanford Internet Observatory, who previously served as chief security officer at Facebook, about the SolarWinds cyberespionage attack. Their conversation has been edited for length and clarity.
David Plotz: Alex, there are reports this that some clever and highly resourced people have broken into some of the most secure aspects of the American government and corporations. We are only beginning to understand what was compromised and what may have been taken. What has happened?
Alex Stamos: To understand this story, we’ve got to think about the different groups in Russia. There are three main intelligence agencies there. The GRU is one we’ve often talked about because they were behind the DNC hack and a lot of election issues. They’re the military intelligence folks, they’re like a sledgehammer. They will hit you in the face very hard, and it is never very subtle.
There’s the FSB, which does internal security, and they’re very scary people. They have various hacking groups at different levels of skill. And then there’s the SVR, the part of the KGB that did overseas intelligence, the ones in the TV show The Americans. If the GRU use a sledgehammer, the SVRs use a scalpel. They have always had the best hackers of all the Russian intelligence agencies, and they are the people behind this. They pulled off what looks to be one of the most impressive intelligence-gathering operations in the history of the world.
Sometime in March, the SVR was able to break into a company that makes really critical IT software called SolarWinds. Most consumers have never heard of it, but it’s a very popular piece of software among IT professionals, it’s used by big companies to manage their network devices. If you run a big company, you’ve got thousands of network devices you need to manage, so you install the software. That means the software is installed in a place that is very, very privileged, has lots of power in the network, because it can talk to all these different devices, and it has to be able to log into all these devices.
The SVR broke into this one company, SolarWinds, and they put a backdoor into the software that was then intentionally downloaded by what looks to be about 18,000 customers. Those customers updated the software, and in doing so brought this SVR backdoor into their network. It then called out very subtly and said, “Here I am.” At that point, Moscow had a shopping list of all of the organizations across the world they could break into. And they very carefully picked which organizations on that list they cared a lot about.
Then human beings would go and control the computer inside of those organizations and add more and more malware and find information in actual trading. This was only caught because one of the companies they picked is a company called FireEye, which is a professional security company. They caught it, reverse-engineered it, figured it out, and then told everybody else. FireEye is doing its own internal investigation, but now what we’re dealing with is that the SVR could have walked in this door any time between March and December, and we have no idea how many of the 18,000 customers have been hit.
Right now, we know that this backdoor was used for the Department of Defense, the Department of Homeland Security, the Treasury Department, part of the Commerce Department, and a variety of other private companies. This is still ongoing, because while that initial back door has been closed, If the SVR walked through any time between March and December, they could have planted much more subtle ways to get back in, and some of those things might not wake up for months or years.
The metaphor I use is the iron harvest, where every year French farmers still find bombs from World War I and World War II. It’s going to be the same thing for years: We’re going to be finding exploits that were planted in these networks by the SVR for a very long time.
Emily Bazelon: That’s completely terrifying and disturbing. What the hell do we do now?
Stamos: We have to respond specifically to this issue. That’s going to be incredibly hard, because there aren’t 18,000 teams on the planet that can go and hunt for hackers at the quality that we’re talking about here. On the government side, there are a bunch of things that we’ve got to think about. I had three initial things in an op-ed I wrote for the Washington Post.
First, we have to treat defense as importantly as offense and intelligence gathering. The U.S. government has never really centralized its defensive work. The responsibility for defending both government computers and the systems of private companies has been smeared across a bunch of different organizations. That changed a bit two years ago, when they created CISA under the Cybersecurity and Infrastructure Security Agency. (They love security so much they used the word twice.) CISA centralized a lot of this responsibility. The first director of CISA was Chris Krebs. He did a really good job of building that up, and then he was fired by Donald Trump for telling the truth. At this point, I don’t think CISA has any political appointees, so they are career civil servants, who are doing their best, but there’s nobody up top who has the pull to be able to do the inter-agency process.
CISA has 2,200 employees. The National Security Agency, which is one of 17 different intelligence agencies in the United States, has 40,000 just by itself. So we put all of our efforts behind the offensive stuff of reading the email of the Chinese Communist Party, of blowing up Iranian centrifuges. We don’t think about the defensive side, and when you run the world’s largest and most technologically sophisticated economy, it turns out you’re also the biggest target in the world for this kind of stuff. So we have to rebalance that.
Then we’ve got to bring some of this expertise in at the high level. The truth is that Washington has for a very long time treated cybersecurity as something that’s best done by lawyers and public policy generalists. Fine, there are a lot of policy and legal people who have important things to contribute here. But you would never have a malpractice attorney be the surgeon general of the United States, and that is effectively how we treat all of our cyber positions.
The third thing we’re really missing is somebody to do the post-mortem and help us explain what went wrong. When a plane crashes, we have the National Transportation Safety Board. NTSB is very well respected. They don’t do all the work themselves, but they pull together the work of all the different engineers and scientists and forensic examiners, and then they say: “This is what went wrong. This is the bolt that failed on the plane.” They do that all the way up to the organizational decisions inside the airline that allowed that bolt to fail. Nobody does that for cyber, and as a result we end up not learning. We end up not even understanding most of the stuff that happened.
To hear the entire episode, in which the hosts also discussed Attorney General William Barr’s resignation and President-Elect Joe Biden’s Cabinet picks, subscribe to the Political Gabfest on Apple Podcasts or listen below.
