Early last year, Russian hackers infected the widely used Solar Winds software management system with malware designed to spread out and compromise US government, military and corporate IT systems. US security officials are still trying to assess the extent of the penetration, which wasn’t uncovered until December. More important, they are trying to figure out how to track and block future hacks.
Testifying last week at a hearing before the Senate Armed Services Committee, National Security Agency Director Paul Nakasone described a “blind spot” in US intelligence – the legal prohibition against domestic spying on US citizens. “It’s not that we can’t connect the dots,” said Nakasone, who is an Army general, “we can’t see all the dots.”
He claims foreign adversaries recognize the blind spot and exploit it. “They understand the laws and the policies that we have within our nation and are utilizing our own infrastructure, our own Internet service providers, to create these intrusions.” Operating behind layers of deception, foreign hackers can make themselves “look” online like Americans and, therefore, be exempt from national security scrutiny, Nakasone said.
The Solar Winds hack was discovered by a diligent employee of FireEye, a leading US cybersecurity firm, who noticed a suspicious log-in on a mobile phone by someone posing as a FireEye salesman. It turned out FireEye was one of the hacker’s 18,000 victims, more than 80 percent of which were private sector entities.
The Senate hearing served as an opportunity to float different ideas, many of them tied to shrinking existing protection against domestic spying. The idea would be to allow national security officials and the FBI to follow unusual computer traffic from abroad without seeking court orders, which can take time to obtain, allowing hackers to evaporate into the cyber mist before they are discovered.
Another idea that surfaced was to create a “fusion center” where information and leads from various national security agencies are pooled so federal agents can work in real-time to track suspicious activity.
The Netflix series Homeland depicted a scenario where Germany’s Federal Intelligence Service outsourced spying on German citizens to the Central Intelligence Agency to evade domestic surveillance restrictions similar to America’s. That same approach could presumably be run in reverse in real life.
“The government needs to get much smarter about how it buys software and other IT products. It is outrageous that the government doesn’t consider cybersecurity when it decides what [software] to buy.”
Oregon Senator Ron Wyden has sounded warnings that this approach could erode citizen expectations of privacy from government spying. He insisted, “There are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic Internet.”
Wyden fears handwringing over the Solar Winds hack will result in “shoveling out hundreds of millions of dollars in new government contracts to shore up problems with the insecure software that [government contractors] already sold the government.”
“The government needs to get much smarter about how it buys software and other IT products,” he says. “I think it is outrageous that the government doesn’t consider cybersecurity when it decides what [software] to buy.” Wyden’s comment was interpreted as pointing a finger on the US government’s heavy reliance on Microsoft products.
Technology companies, also victims of the Solar Winds hack, have encouraged focusing on high-priority investments to increase cyber-security rather than try to close security gaps through broader surveillance.
President Biden’s administration has indicated it is developing a response to the Solar Winds hack, but says it isn’t entertaining a policy shift to increase legal authority for domestic surveillance.