The apparent attack by Russia’s S.V.R. intelligence service on America’s computer systems establishes beyond a shadow of a doubt that the United States faces a computerized crisis of major proportions. The private sector and many government agencies have declined to spend the money and hire the personnel to make their systems secure. The private sector has failed to do it to maximize profits; government agencies have failed because it has been difficult to justify the funding it would take to correct to Congress.
The implications of this attack, combined with my extensive reporting on Chinese government patterns of attack seen here and in a National Interests piece, is that foreign governments currently have extensive access to the majority of America’s computers. They can sit inside and watch for years unless we make a commitment to ourselves to get serious about resisting it. I realize that the National Security Agency penetrates other countries’ systems, but I submit that what Russia and China are doing is far more systemic and strategic.
We must overcome our divisions to recognize that the private sector’s computer systems open a door to penetration of governmental systems. Apart from the NSA and Central Intelligence Agency, which have their own networks, the majority of government agencies depend on civilian networks either to conduct research or acquire goods and services. The Pentagon, for example, uses more than 300,000 private sector suppliers. Yet it does not have the legal right to monitor the systems of those companies to detect foreign state actors.
Both the Chinese and Russians have learned how to exploit our vulnerabilities. China’s Ministry of State Security uses open source lists of computer network vulnerabilities to enter those systems that have been identified before software patches can be made. Chinese government-related entities have mastered the art of supply chain attacks in which they penetrate unprotected systems of small companies and work their way up to larger and larger companies. They are invisible because their traffic appears to be legitimate because the Chinese attackers have legitimate user ID’s and passwords. Now they are on penetrating the computer systems of American companies in China and using them as platforms to penetrate the companies’ global systems.
One key we have seen in both the Chinese and Russian attacks is that they understand our software supply chains. It’s very expensive to produce software that is perfect so American companies issue software that contains flaws and then seek to repair the flaws in periodic updates transmitted over the Internet. That’s what happened with SolarWinds, which makes and maintains network software in part in Eastern Europe, where the Russians have longstanding influence.
So a careful inspection of a network might reveal no foreign state penetration but then comes a new software update. Perhaps there are two or three updates. Nothing is seen as wrong or invasive. Then on the fourth or fifth update, when attention spans are focused elsewhere, the malware is inserted. The bad guys are in.
Cloud computing, which was supposed to help companies secure their systems, has been revealed to be a false promise. The Chinese group, APT10, penetrated cloud computing systems maintained by IBM and HPE and was inside those systems for years, which allowed it to “hop” onto the systems of dozens of companies and agencies that entrusted their systems to the big cloud computing providers. IBM was quoted as saying it could find no evidence of the attack, which was amazing.
So it’s a Come To Jesus moment. Either the private sector pays the price to create secure systems or America will remain forever vulnerable. Either the private sector and U.S. government find ways to cooperate to protect all systems in the name of national security or America will remain forever vulnerable.
