Illuminating SolarStorm: Implications for National Strategy and Policy

This essay appeared as part of a round table on how to respond to the SolarWinds attack.

This operation was a tremendous intelligence success for the Russian government, and recovering from it is going to be much harder than people think. It might not even be possible. It requires much more than simply patching the Sunburst vulnerability. It means burning the infected networks to the ground and rebuilding them from scratch, just as you might reinstall your computer’s operating system after a bad virus. But even that won’t be enough.

The Russians were slow and deliberate, using the backdoor in the SolarWinds update to obtain initial footholds in only a few of the 18,000 vulnerable networks, and then working over months to establish persistence by creating alternative means of access that would survive discovery of the initial vulnerability.

This means they were able to burrow very deep into compromised systems. How deep? We don’t know for sure, but here’s a comparable example. IRATEMONK is one of the National Security Agency (NSA) hacking tools initially described in Edward Snowden’s archive. It’s a way to infect a hard drive that survives reformatting of that drive. In other words, the only way to fix the vulnerability is to completely replace the drive with a brand new one, which costs money. This particular NSA trick is at least eight years old, and the actual code for performing it was stolen and published by the Shadow Brokers in 2015. Today cyber criminals use it in ransomware. Assume that the SVR had equally clever tricks back then, learned about some NSA approaches, and had almost a decade to invent even cleverer ones.

In short, unless those infected by the SolarStorm operation throw away their hardware and software, and then start from scratch, they won’t know for sure that the Russians have been purged from the network. But rebuilding networks from the ground up, never mind going the extra step of replacing all hardware, is very expensive. Knowing the size of the federal agencies involved, there is just too much hardware and software to consider it. So that is unlikely to happen.

It is also unlikely that the federal government will enforce strict security standards for technology procurement—which is what we need to prevent a repeat of SolarStorm. Enforcing minimum security requirements raises the cost of everything while it limits procurement options. And such requirements will be opposed by the full lobbying might of an industry that would rather sell cheaper insecure products than do the hard work of security.

Cybersecurity is expensive. Cybersecurity to defend against nation-state operations like SolarStorm is very expensive. But cyber-insecurity can end up costing even more. We as a country need to decide when and how we are willing to pay.

Categories: Computer and Information Security

Sidebar photo of Bruce Schneier by Joe MacInnis.