January 06, 2021
Hello, and welcome to the first Codebook of the new year. This week, we're thinking about how hacks like SolarWinds can reverberate for years — and how all its effects may never fully be known to U.S. officials.
Today's newsletter is 1,212 words, a 4.5-minute read.
1 big thing: Russia’s SolarWinds hackers likely burrowed deep
Russian cyber operators are almost certainly still rummaging through U.S. networks, potentially lifting data or setting traps for future havoc even as officials scramble to assess the damage Moscow's hack has already dealt.
Why it matters: The hack, powered by malicious code inserted into an update of SolarWinds network management software, could be among the most significant in the country’s history, perhaps on par with China’s hack of the Office of Personnel Management or Russia’s 2014 hack of the State Department.
Driving the news: The FBI, NSA, CISA and office of the DNI in a joint statement Tuesday confirmed what has been widely accepted in the cybersecurity world: The hack was likely the work of Russia. (Specifically, Russia's SVR intelligence agency is thought to be behind it, though the statement stopped short of such specific attribution.)
- The agencies also said that, although the update went out to some 18,000 SolarWinds customers, far fewer public or private entities were actually compromised.
- So far, fewer than 10 government bodies have been identified as having been breached, the agencies said.
Yes, but: Even if the cyber operation narrowly focused on just a handful of targets, its impact could far exceed its footprint.
- Already, experts say Russia may have used the exploit to breach critical U.S. infrastructure like power plants.
- Microsoft, meanwhile, said hackers viewed some of the company’s source code.
- And the federal agencies that are known to have been affected are among those responsible for some of the nation's most vital and sensitive work, including the State, Treasury, Energy, Commerce and Defense departments.
The intrigue: Nation-state groups — called “Advanced Persistent Threats” in cybersecurity jargon — aim to achieve persistent and long-standing access to desired targets.
- Once they burrow into a network, they almost always surreptitiously develop contingencies for how to stay there, even if their initial point of entry is discovered.
That prospect of persistent access is complicated further by the fact that we still don't know exactly what the Russian cyber spies were looking for. Broadly speaking, there are three possibilities:
1. The hackers deliberately cast a wide net as cover to obscure the fact that they were after a specific target.
- While U.S. cyber defenders continue puzzling over just how many doors have been wrenched open, Russia may have devoted, or may still be quietly devoting, intensive resources to extracting information from one particular agency, department or dataset.
2. The hack was aimed at compromising the maximum number of U.S. government (and perhaps other) targets simultaneously, allowing Moscow to sift through vast troves of likely unclassified, but still sensitive, data.
- Down the line, such data may prove useful in, for instance, giving Russia — or China, Iran or another hostile foreign power, should Russia trade it away — a strategic advantage in diplomatic negotiations.
- Or if an American intelligence operation halfway around the world is blown, U.S. counterintelligence officials may be left wondering if somehow it is related to information stolen in the hack.
3. The hack began as a narrow operation but, after Russia got what it was after, broadened, with the hackers fully expecting to get caught.
- The SVR could then sit back and let the long afterlife of its compromise commence, driving stateside panic and distracting U.S. cyber warriors as Russia moves on to future operations.
The bottom line: No matter what, Russia now knows that the SolarWinds hack may tie U.S. counterintelligence experts into knots for many years to come.
2. New NDAA contains major cyber provisions
The new National Defense Authorization Act (NDAA), which passed last week over President Trump’s veto, contains 25 cybersecurity-related provisions born from the recommendations of the bipartisan Solarium Commission.
Between the lines: While the bill is far broader than cyber alone, it is “among the most consequential cybersecurity bills ever to become law,” Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, said in a statement.
Driving the news: Among the most consequential items in the NDAA is the creation of a new, Senate-confirmed “National Cyber Director” position to serve within the White House as the president’s chief adviser on all cybersecurity matters, working as part of a new “Office of the National Cyber Director.”
- The NDAA also calls for the development of a “Continuity of the Economy Plan” in case a major cyberattack leads to key networks being knocked offline and commerce ground to a halt.
Details: The bill also...
- Establishes a “Joint Cyber Planning Office” based in the Department of Homeland Security.
- Grants DHS’ Cybersecurity and Infrastructure Security Agency administrative subpoena power, meaning it can demand information from ISPs and others about vulnerabilities it uncovers.
- Requires the commissioning of a report examining the dangers that quantum computing may have on U.S. national security.
- Instructs the Pentagon to create a plan for shoring up the defense of the nation’s nuclear command and control systems from cyber intrusions.
3. How China’s tech giants and intel services work together
China’s tech giants are using their big data analytics capabilities to process data pilfered by Beijing’s intelligence services, U.S. officials told me for an article in Foreign Policy.
The big picture: Beijing’s ability and willingness to press Chinese firms into service to assist with surveillance and national security aims is a central piece in the U.S.’ growing ideological and technological clashes with China.
What they’re saying: “Chinese technology companies play a key role in processing this bulk data and making it useful for China’s intelligence services,” said William Evanina, the U.S.’ top counterintelligence official.
- “The companies they are using are portraying themselves as large, legitimate, multinationals that have footprints across jurisdictions,” said a former national security official. “These are not simply tiny little ... defense contractors working inside China. They are major multinationals with footprints all over the world.”
How it works: The Chinese tech giants don’t have a choice in the matter — they are compelled by Chinese law to assist Beijing’s spy agencies, say U.S. officials.
- That includes using their data-processing capabilities to help sift through vast tranches of potential intelligence when Beijing’s national security agencies demand it.
- The companies then promptly return the “conditioned,” or worked-up, data to the government, say U.S officials.
Yes, but: The relationship between the tech giants and China’s spy services can still be tense. “The private companies are hostages to it,” a former counterintelligence executive said. “Arguments ensue.”
- “Sometimes, U.S. intelligence officials would learn about ‘pissed-off employees’ at Chinese companies upset about ‘doing extra work’ on behalf of Chinese intelligence,” the former executive said. “But they were obligated to comply.”
4. China escalates its Hong Kong crackdown
Former lawmakers were among dozens of pro-democracy activists arrested on Wednesday under the national security law imposed by China, per opposition groups and local media, reports Axios' Rebecca Falconer.
Why it matters: Hong Kong had enjoyed a high degree of autonomy, but the passage of the sweeping security law by Chinese lawmakers last June has led to a major crackdown on the pro-democracy movement. It has escalated in recent weeks, with the arrests of activists including media tycoon Jimmy Lai and the imprisonment of other prominent figures like Joshua Wong and Agnes Chow.
What's new: Police took some 50 people into custody in the crackdown.
- Former lawmakers Alvin Yeung, Lam Cheuk-ting, Andrew Wan and James To were among those arrested "on allegations of subversion" for holding an informal primary last July for a legislative election that was later postponed, per Bloomberg.
My thought bubble: Watching what’s happening in Hong Kong is difficult to stomach — a semi-independent city-state being crushed and blotted out by a vast despotism. It’s a very old story, and it strikes at the core of our common understanding of human freedom.
Go deeper: Hong Kong's worst case scenario is happening
5. Odds and ends
- A British judge rejected a U.S. request to extradite WikiLeaks’ Julian Assange. (ABC News)
- On the political economy of the SolarWinds hack. (Matt Stoller)
- Pandemic relief money went to outlets peddling coronavirus-related misinformation. (Yahoo News)
- CIA has rebranded its logo and website. (AdAge)
- Singapore repurposed its coronavirus-tracing app for law enforcement investigations. (CyberScoop)