If you want to defend a fortress, you start by keeping unfriendly characters away from the gates.
This insight is neither novel nor antiquated. Medieval castles were built with moats and drawbridges for a reason. Our British friends, who know a thing or two about castles, use a modern version of this approach with a guarded gate that seals off access to London’s Downing Street, the seat of executive power in the United Kingdom.
Assuming some intruders make it past the gate, they will find it impossible to pick the lock to gain access to Number 10, Britain’s rough equivalent of the White House. This is because there is no lock on the door to Number 10. The residence has reportedly not been left unattended in centuries. There is always a trusted staff member to admit – or deny admittance to – anyone who reaches the threshold. The blast-resistant door, installed nearly three decades ago after a mortar assault by the Irish Republican Army, cannot be opened from the outside.
America’s latest cybersecurity debacle illustrates that we have a lot to learn about defending the treasury, and the rest of our national crown jewels as well. The Treasury Department is one of several government agencies – and potentially thousands of enterprises overall – whose networks may have been compromised by highly sophisticated actors. The Commerce and Homeland Security departments were also hacked. Strong suspicions have been directed at Russia’s foreign intelligence services; Russia, predictably, denies any connection to the exploit.
The attack apparently began at SolarWinds, a company based in Austin, Texas that makes software tools for managing networks. Between March and June of this year, the suspected foreign operatives planted malware in updates of SolarWinds’ Orion product. Orion is reportedly used by more than 30,000 organizations. Some 18,000 may have downloaded the compromised versions of the software.
One of those companies was FireEye, a provider of (ironically) network security products. The attackers were able to steal FireEye’s tools, which may have provided an entirely new roster of potential targets to infiltrate. But it was FireEye that ultimately realized it had been hacked, traced the source back to SolarWinds, and raised the first alarm.
On Sunday the U.S. Cybersecurity and Infrastructure Security Agency ordered all federal departments to immediately power down and disconnect equipment using the Orion product and take a series of damage-assessment and remedial steps. If these measures sound like too little and too late, that is because they are exactly that. We may never know the full extent of the damage to national security and private businesses. And given the startling number and variety of potentially affected organizations, and all their interconnections across the global network, the reverberations of this exploit are likely to continue for years.
This is far from the first time someone has picked America's digital pockets. The ultra-secret National Security Agency had its own hacking tools stolen sometime before 2017, when a group known as the Shadow Brokers placed them online. Those tools have since powered an epidemic of ransomware that has made life miserable and costly for state and local government agencies, health care providers and school districts.
Against this discouraging backdrop, the demands by law enforcement agencies for technology companies to deliberately include backdoors and vulnerabilities into their products are ludicrous. As recently as this spring, when the Orion attack was likely well underway, Attorney General William Barr criticized Apple its continued refusal to help the Justice Department crack its encryption. The FBI, too, has pressured Apple for backdoors to make investigations easier. But promises to hold the keys to those backdoors in confidence, and to use them only in court-approved or other legally sanctioned situations, cannot be taken seriously. How can we expect the government to protect our data integrity when it cannot defend its own?
Sunday’s discouraging news about SolarWinds brought the usual pledges of stern action against the perpetrators. This, too, is ludicrous. Hackers working under official auspices in Russia, China, Iran and North Korea (likely among other places) set their alarm clocks in the morning and come home from work at night, or at least they did in nonpandemic times. They are doing their jobs. Our government’s job is to make sure they can’t, or at least to make it as difficult as possible.
As I have written before, this should involve restructuring the internet as we know it. We can’t stop adversaries from spying on us, but we can at least make them take more than a metro ride or a walk to their kitchen table to do it. The open-access global internet is an idea whose time has passed. A more secure, geographically limited version should at least be available for the great majority of users who have no need for their data packets to detour to Moscow, Beijing or Tehran. “Air gapping” to keep secure data from reaching insecure networks should be built into a wide range of equipment. Countries that weaponize the network against us should be kept off the network. So should countries that provide alternative gateways to these bad actors. At the very least, a more secure parallel network should be available as an alternative to what we now have.
There is no such thing as a perfect defense. There are side doors to the seat of government in the U.K. that can, in fact, be opened from outside. No fortress is truly impregnable. But some are a lot more pregnable than they ought to be.