Marriott, Equifax, the Office of Personal Management, and the latest US federal agencies – the big cyberattacks keep coming. They can begin to act like routine nuisances, like fender benders on the highway. But anyone tempted to brush the recent SolarWinds and FireEye violations as routine should reconsider.
This is not a fender bender. It’s a 75-car bunch and we know what’s wrong. The truth is, we are still getting a grip on cybersecurity at the federal level. While cybercrime is now a permanent fixture on the US Intelligence Agency’s annual Worldwide Threat Assessment report, there is a profound difference between identifying a problem and urgently resolving the Manhattan Project. We have to shake off complacency because we may not get a second chance.
Why is the SolarWinds FireEye crisis so troubling?
When you think of cyberattacks, you imagine a hierarchy of chaos. At the lower levels, this includes stolen credit card or health information. These are impractical but not crippling. Attacks on a single company or agency are higher up the hierarchy. They steal intellectual property, from auto blueprints to vaccination prescriptions, or hold their system ransom until payment is made. These are expensive and temporarily crippling.
But this? This is utter chaos. This has been a global attack on the supply chain for damage done without precedent. It hit dozens of organizations from the US Treasury Department to Intel and Cisco. We haven’t measured the full impact yet. It can take years to summarize the costs.
“In fact, this is not just an attack on specific targets, but also on the trust and reliability of the world’s critical infrastructure to advance a country’s intelligence,” said Microsoft President Brad Smith in a blog post earlier this month.
The hardest part to swallow might be this: the attackers’ weapons of choice weren’t particularly new.
You may have read reports that watchers were shocked – shocked! – That the malware was embedded undetected in SolarWinds systems for months before boarding a software upgrade downloaded by thousands of customers. Actually, that’s not shocking. It’s an old, familiar strategy. The enemy here worked from a venerable cyberwar game book, but the defenses still shattered like willow railway bridges.
The truth is that while most cybersecurity vendors sell prevention, and big cybersecurity players continue to ensure prevention is the strategy in Washington, violations are guaranteed. Period. The real tonic is the rapid detection and elimination of threats. Without it, opponents who evade prevention products can roam freely through target networks for months. It was nine months in this crisis.
What is really shocking is how powerful and ruinous this well-known infiltration and hiding strategy has proven to be true to scale. Equally shocking, while the nature of this attack is crystal clear, its intent remains a mystery. As massive as it was, Smart Money says it was just a test or a warning shot. I think it’s just an indication of the chaos to come. And I suspect that the culprits behind this attack, the state chaos agents or their proxies, are amazed at their success. You have to think: what are our next goals? Many wise analyzes point to Russia, but other nation-states also have an eye on American assets and infrastructure. They too now have to wonder what they can get away with.
The short-term solution is closer to home. In the face of this cyberattack, what I am asking of President-Elect Joe Biden and his security team is politically difficult, but absolutely critical. I ask for the rarest political phenomenon: courageous action without a political mandate.
We know how most voters throw away news of cybersecurity vulnerabilities. We know how many other problems the Biden administration will face. The problem of climate change reminds us how difficult it is to spark public support to prevent a disaster that has not yet happened. Still, only the federal government can put a more comprehensive, smarter, multilateral cyber defense on the agenda. Civilians in Washington may not always understand cybersecurity, but this is where me and my tech allies can help. Inattention and dismissal cost us a lot. Give us an opportunity to help defend them effectively while we still have time.
If a dangerous driver cuts you off on the freeway, turn, gather, and keep driving. But when six, albeit well-hidden snipers open fire on the entire highway, that’s different – an order of magnitude different. That is our situation at the beginning of 2021. The level of the threat has increased; The ultimate mission of our enemies is unclear. Under the next president, America’s stance on cybersecurity must exceed the sum of the cost of breaking it. Next time, they could be unpredictable.
The author is the President and CEO of Vectra AI, a threat detection and response company based in San Jose, California.