Subscribe to What Next on Apple Podcasts for the full episode.
The problem with trying to understand the massive data breach the United States is dealing with at the moment is that the list of agencies and industries that have been affected just keeps growing. There are Fortune 500 companies, places like Microsoft and Cisco. Then there are state and federal governments: the city of Austin, Texas, the U.S. nuclear weapons agency, the Department of Homeland Security.
And Slate’s Fred Kaplan says that right now, all of these places have a bunch of workers scouring their back-end systems, looking for clues. They are looking for signs of a perniciously quiet kind of infiltration. Infiltration made possible by malware that rode in as part of a software update pushed through months ago, to nearly 18,000 clients of a firm called SolarWinds. “We’ve never really seen anything like this,” said Kaplan, the author of Dark Territories, a book about the history of cyberwarfare.
This kind of hack is called a “supply chain” attack. It works like this: A hacker plants malware in code used by a software company to build its products. It’s called “Trojanizing,” because the malware then gets popped into the software company’s own code, and when they send out a software update, it gives the hackers access to all those private networks. Instead of hacking the government, you hack someone who already has access to the government. As digital security has gotten tighter, complicated hacks like this one have become more popular, especially because supply chain attacks are difficult to detect.
Everything about this hack is shrouded in unknowables. Who was the target? What information have the hackers taken? The only thing cybersecurity experts do seem sure of is who was behind the plot: Russia “Not many other countries could have done this,” said Kaplan.
And the only reason any of us know about this operation in the first place is because the people behind it got too ambitious. They tried to hack into a Silicon Valley security firm, which noticed the infiltration and raised the red flag. On Monday’s episode of What Next, I talked with Kaplan about the hack and the urgent question the U.S. is now facing: When you’re dealing with a digital incursion, what are the rules of engagement? Our conversation has been edited and condensed for clarity.
Mary Harris: On the Sunday shows, a senator said, Well, the good news about this hack is it looks like the confidential servers have not been breached. Does that reassure you?
Fred Kaplan: So that might be true. But I find it not at all assuring that the federal government, which has intrusion detection systems, didn’t detect this for eight months. Any time something like this happens, you catch it and have a sigh of relief. But then you’ve got to wonder what’s out there that we haven’t found yet.
What might this hack mean? It feels so unknowable. It’s not like a million credit card numbers were stolen. It’s vaguer than that. What are your sources telling you about the potential goals?
A lot of it’s just espionage. How are you doing your thing? How are you managing your security?
I love how you said that. It sounds like, you know, we’re used to a little espionage here and again.
Yeah, this is massive, massive espionage. Look at something like the National Nuclear Security Administration. OK, let’s say the classified part of that is off-limits to these guys. There are still things you can learn about budgets, about programs and where the money is going. In other words, if you took a comprehensive pile of information that happened to be unclassified and put it all together, you could come up with some secrets. You could come up with some things that cumulatively would be classified.
Should the government have seen this coming?
Going back to the very, very beginning, the dawn of the internet age, in 1967, they were about to roll out something called the ARPANET, the progenitor of the internet. There was a computer scientist named Willis Ware. He was the head of the computer science division of the RAND Corp. and he was on this scientific advisory board of the NSA, and he wrote a memo at the time warning that you have to realize that once you set up something like this where you have multiple unsecured access points to information that might be confidential, you’re creating inherent vulnerabilities. You might not be able to keep secrets anymore.
Part of what stands out to me reading your work over the last number of years is that this kind of hack wasn’t a failure of imagination on our part. You tell a great story about how Ronald Reagan saw the movie War Games with Matthew Broderick, where a teenager hacks into a defense system, and said to his people, Hey, could this happen? And the answer is yes, it could.
That was in 1983 and that was the unlikely beginning that led to a directive which was the first government policy on what we now call cybersecurity. But it didn’t go anywhere because the guy who wrote the directive was working for the NSA and basically he wanted to give the NSA authority to set the standards for all computers in the United States, private, public, everything. And there were civil liberties activists in Congress and elsewhere who quite rightly said, No, this is not a good idea. And so the idea was kind of sort of disappeared for about another decade until real hacks started to appear on the scene.
In the ’90s when Clinton was president, there were colonels and generals in the military who had never used a computer. Clinton didn’t use the internet. It was all very new. And then there were measures proposed to impose mandatory cybersecurity requirements on what they call critical infrastructure—things that make society run, banking and finance, waterworks, oil and gas, electrical power, stuff like that. And these are all, in this country, mainly controlled by private companies, and they resisted any such requirements as onerous regulations. And they kind of got away with it.
The head of U.S. Cyber Command is a guy named Paul Nakasone, and I was struck by the fact that back in 2018 he was speaking to Congress and basically admitted that the U.S. is a punching bag when it comes to our access to data, and this hack seems to have proved that right. But it does make me wonder: Is he not doing his job?
No, he’s doing his job. What he’s doing, he’s reciting a fundamental and inherent fact about this technology. When people are still going around the country giving speeches, I did some of these, and I would always tell conferences of cybersecurity people that your job is secure. We could find the cure to cancer and set up colonies on Mars, and you will still have your job.
Can we talk about how hard this hack is going to be to clean up? Because I was struck by the op-ed in the New York Times by the former Homeland Security chief who basically said, We’re talking years. Like, as soon as this news broke were people in homeland security like setting fire to their laptops?
An order did go out to shut down anything that had SolarWinds on it.
But is that even possible?
Well, I don’t know. It’s a lot of computers. I was told last Friday that it is still not known where this malware came from. In other words, they know that it was inserted in the back door and some supply chain, but they don’t know exactly where. So the same supply chain could be providing the ingredients for some other networks as well that we just don’t even know about.
What do we do now?
I think we do have to go back to the idea of some kind of mandatory security requirements. In terms of what to do about Russia now, I’m not really sure. At some point you say, Look, this one just stepped over the line, we’ve got to take some measures. This is something I’m still thinking through and I’m talking with others who are thinking it through. One of the things you do is you do something that damages Putin personally.
Because he had to approve this. And you’re saying, Here we’re punishing you personally. The CIA, for example, knows where all of Putin’s money is. I think it’s time to step up that kind of thing. For a while we were like issuing indictments to the heads of some Russian or Chinese cyber group. Come on! Nobody’s going to extradite these people. I guess if one of them was foolish enough to travel to the United States, they could be arrested on the spot, but that’s not going to happen.
What are the rules of engagement in cyberwarfare?
There has not been very much systematic thinking about what is cyberdeterrence. Like nuclear deterrence, weeks after the bomb hit Hiroshima and Nagasaki, there were civilians who are thinking, OK, is this a fundamentally new kind of bomb or is this just a regular bomb but it’s a lot bigger? And then if it’s fundamentally changed, the big task now is to prevent war. And so how do we deter another country from attacking us? And they came up with this idea of, well, we have to have a secure second strike capability—some weapons that we can keep relatively invulnerable so that if they attack us, we can attack them. And it’s kind of worked.
With cyber, where do you draw this line? You can’t just say you attack us with cyber, we’re going to attack you because there are millions of cyberattacks. What is the difference between a nuisance attack and something that genuinely harms national security? If a bank is attacked. Well, that’s a bank. What if a dozen banks are attacked? Is that something the federal government should get involved in protecting? There are all these very knotty questions. Where do you draw the line? What are you going to promise that you will do? And while there have been some think tanks that have talked about this, this has not yet been worked out. There is no real systematic strategy. In terms of analogizing it to nuclear weapons, we’re still in 1946.
Huh. Like we’d know if some soldiers marched across our border oh, bing warfare, but when someone marches into our computer systems, not so much.
Robert Gates, when he was secretary of defense, when Bush was still president, he kept getting these daily reports about all these things getting hacked, and he put a question to the Pentagon’s general counsel saying, At what point do these attacks amount to an act of war as defined by international law? And he got the answer back months later, and it’s that under some circumstances, it could be deemed an act of war. But they didn’t really say much more than that—vague things like maybe if somebody is killed or there’s significant property damage, whatever that means. We’re in the thick of this, and the technology has gone way, way, way, way ahead of policy. And we haven’t worked out a basic strategy, much less an operational one, to deal with this.
I do wonder if the fact that this hack was so broad makes our response more simple because there are so many people, countries, companies that were affected that we have a lot of allies if we know how to use them.
Well, that’s true. Whatever it is we do, we shouldn’t do it alone. It should be done with a lot of allies. There are about 20 countries that have militaries with cyber offensive units to one degree of effectiveness or another. When Robert Gates was secretary of defense, getting all these briefings about one hack or another, at one point he told some colleagues, We’ve got to get together. Even during the height of the Cold War, there were certain rules that the U.S. and the Soviet Union followed. For example, we don’t kill each other’s spies. We’ve got to get together with the cyberpowers and work out some rules of the road, some rules of engagement, because we’re treading in dark territory. Accidents are going to happen. OK, that was back when there were maybe four or five countries that you could have dealt with and probably could have got together some big forum where they would work out a kind of Congress of Vienna to figure out how they were going to do this. Now, these countries include Iran, Syria, North Korea. How are you going to get a Congress of Vienna including these people? It’s really sort of spun out of control.