The Coup in the Kremlin
How Putin and the Security Services Captured the Russian State
Last month, the cybersecurity firm FireEye alerted the U.S. government that hackers had breached its defenses and accessed the networks of its clients, which include numerous U.S. federal agencies and major corporations. Since then, U.S. investigators have unearthed evidence of an enormous, months-long foreign hacking campaign that gained access to the networks of at least 18,000 companies and government entities through a weak link in their supply chains: a piece of management software produced by the Texas-based company SolarWinds. Analysts are still investigating the exact source of the hack, but all evidence points to the Russian external intelligence agency known as the SVR.
Russia appears to have easily evaded U.S. cyberdefenses. At least six U.S. federal agencies failed to detect the malicious activity on their networks. Among them were the Department of Commerce, the Department of Energy, and the Department of State. The Department of Homeland Security’s expensive system for protecting these agencies, Einstein, also failed to pick up the activity. In the end, the hack was discovered not by artificial intelligence, machine learning algorithms, or classified intelligence capabilities but by a suspicious FireEye employee: the hackers attempted to add multifactor authentication to a compromised device operating on the FireEye network, and an analyst from the firm’s security center reached out to the device’s owner to verify that the request was legitimate. The owner said it was not, and FireEye began the investigation that eventually exposed the hacking campaign.
Such a colossal failure might reasonably lead observers to second-guess the United States’ long-standing cyberstrategy. But as details of the hacking campaign emerge, they will likely reveal that the failure was not one of strategy but of execution. To address the country’s vulnerabilities now requires not a new grand cyberstrategy but the discipline and resources to implement the current one. That means laying the groundwork for improved collaboration and coordination among government agencies and private technology companies, carrying out a thorough investigation of the failures that occasioned the SolarWinds hack, and responding proportionally in order to deter future cyber-incursions by Russia or other U.S. adversaries.
For more than two decades, U.S. cyberstrategy has been predicated on the need for government and private enterprise to work together to counter threats. No federal agency has the ability to detect and deter all foreign adversaries in cyberspace, so the public and private sectors must cooperate. Yet the United States has never built the structures or capabilities needed to fully implement such a joint effort. Instead, every four to eight years, the president or Congress has assembled a different group of experts to hash out a new approach—as the Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th President did in 2008, the White House Commission on Enhancing National Cybersecurity did in 2016, and the U.S. Cyberspace Solarium Commission did last year.
Each of these commissions had a broad mandate to rethink U.S. cyberstrategy, and each concluded the same thing: that a public-private partnership is the only viable approach. The commissions each recommended long lists of means for forging such a partnership, including by strengthening the mechanisms and procedures by which federal agencies collaborate and share information, both among themselves and with the private sector. Unfortunately, most of these recommendations were either only partially implemented or ignored.
In 2014, for instance, hackers thought to be connected to the North Korean government breached Sony Pictures. The administration of President Barack Obama responded by establishing the Cyber Threat Intelligence Integration Center (CTIIC), modeled on the National Counterterrorism Center, to coordinate the collection and sharing of information on cyberthreats. Yet the CTIIC was not granted sufficient funding or authority to fulfill its mission. Competition, privacy concerns, and cultures of secrecy still impede the flow of information on cyberthreats among and between intelligence agencies and security teams at private companies.
It is too early to say precisely why the intelligence community failed to detect, and the U.S. Cyber Command failed to disrupt, the recent Russian hacking campaign. The National Security Agency, which tracks cyberthreats against the government and U.S. businesses, may not have been able to gain access to the Russian’s networks and so could not track their activities. More troubling is the possibility that the U.S. government simply failed to connect the dots: the NSA and other intelligence agencies likely collected pieces of the puzzle but did not share them with other government agencies or private entities that could have put them together with data from law enforcement or the private sector to recognize the hacking campaign and thwart it before damage was done.
In all likelihood, the national cyber director will find that systems failed at every level.
The United States badly needs an entity of sufficient scale and authority to develop and implement a centralized cybersecurity policy and to marshal the federal resources needed to make that policy successful. Luckily, this gap is about to be filled. On New Year’s Day, Congress passed a National Defense Authorization Act that fulfills one of the Cyberspace Solarium Commission’s central recommendations: the creation of a national cyber director (NCD) at the White House with sufficient staff and authority to overcome the coordination hurdles that have impeded the implementation of U.S. cyberstrategy for the last two decades. (Whether Congress will fund the new office at a level that enables it to carry out its mission remains to be seen.)
Once the position is established, the NCD should exhaustively investigate this latest breach in order to understand how the SVR was able to penetrate and spy on U.S. networks for months without being detected. The NCD should not only document possible failures in U.S. policies and systems but also propose, test, and execute solutions to those problems. Should the investigation encounter roadblocks, such as uncooperative federal agencies or private companies, the NCD should document the obstruction and press Congress for the authority to overcome it. And when tradeoffs between privacy and security are found, the NCD should highlight the concerns for lawmakers so that an appropriate compromise can be reached.
In all likelihood, the NCD will find that systems failed at every level. Some cybersecurity tools will have failed to detect signs of malicious activity. Others will have detected the activity, but the agencies or companies operating them will have failed to share these findings with the rest of the cybersecurity community. If and when such determinations are made, the NCD should propose new mechanisms and incentives for sharing information across agencies and between the government and the private sector.
The incoming administration of President-elect Joe Biden must not only improve the United States’ ability to detect and disrupt hacking campaigns but also respond to Russia’s intrusion in a way that deters future cyber-aggression. Just what that response should be—and how it is calibrated—will depend on Russia’s motive for its hacking campaign, something that U.S. analysts are still working out.
If forensic evidence suggests that the campaign was intended to enable a destructive cyberattack against the U.S. government or U.S. industry, an in-kind response could be justified, such as turning off the lights in Moscow. If, however, Russia’s goal was espionage, it will be harder to justify such a punitive response. Moscow will not have violated any norms of intelligence gathering—spies spy, after all. When they get caught, nations whose secrets are sought make halfhearted protests but signal by other means that they do not intend to escalate. As General Michael Hayden, who directed the CIA and the NSA during the administration of President George W. Bush, said after China hacked the U.S. Office of Personnel Management in 2014, “Not shame on them; shame on us.”
The incoming administration may wish to consider promoting new norms that would make this kind of widespread intelligence collection unacceptable. Such norms might leave the United States better off relative to its adversaries, since it might be able to gain what it needs via small, targeted operations or gamble that it won’t get caught doing wholesale exploitation. The spying of spies is accepted in part because of the supposedly stabilizing effect of espionage: clandestine information often reveals adversaries’ intensions to be less dire than previously feared. But this norm predates cyberspace and does not account for the fact that hackers often get caught publicly or under circumstances that governments can’t keep quiet (often by third parties). In democracies, this kind of public scandal places additional pressure on elected leaders to respond to cyber-espionage in an escalatory manner.
The challenge for the incoming administration will be to devise a response to the SolarWinds hack that is in some way proportional but that does not replicate Moscow’s bad behavior. Such a response will have to telegraph to the Russians which aspects of its hacking campaign were acceptable and which the United States is declaring out of bounds. But no matter what signals it sends or actions it takes, the Biden administration will struggle to shield federal agencies and private businesses from future hacking campaigns unless it implements the cyberstrategy first articulated more than two decades ago. Only a strong public-private partnership that promotes cyber-intelligence sharing and facilitates coordinated responses to threats can keep the United States’ systems safe.