The SolarWinds Hack Is Just The Same Sort Of Espionage The US Government Engages In Every Day

from the ugly-and-inconvenient-truth dept

A historic hack of unprecedented scale has set off alarms in the US government — itself a target of suspected Russian hackers who leveraged IT infrastructure company SolarWinds’ massive customer base to compromise an unknown number of victims. Among those victims were several US government agencies, including the DHS’s cybersecurity wing, which announced its own breach hours after issuing a dire warning to potentially affected government agencies.

Is it time to panic? No, says the lame duck president, who claims this is already “under control” — something that very definitely isn’t true. SolarWinds says it has 18,000 customers using the affected Orion software. And many of those customers (which include Fortune 500 companies and major telcos/service providers) have thousands of customers of their own — all of which may be operating compromised systems. The DHS said the only way to ensure systems are clear of this threat was to airgap them and uninstall the infected software.

Others who have been briefed on the hack are far less cheery about its ongoing impact. Trump tweeted there was nothing to worry about. Republican allies seem more concerned than the man who won’t have to worry about this for much longer.

Shortly after Mr. Trump’s tweet, Sen. Marco Rubio (R., Fla), acting chairman of the Senate Intelligence Committee, said it was “increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history.”

Mr. Rubio added on Twitter that efforts to determine the extent and damage of the hack were ongoing and that remediation would take significant time and resources. “Our response must be proportional but significant,” he said.

The 2050s will be like 1950s, apparently: with America in the midst of another Cold War.

But is it true this is the “gravest cyber intrusion in our history?” Or is it just the “gravest” intrusion that’s targeted us? After all, the Russians don’t have a monopoly on government-ordained hacking. Our intelligence and security agencies deploy their own persistent threats — something we’ve done for years with minimal blowback. These calls for a cyber war by pundits and government officials aren’t anything to be applauded. I don’t think America really wants to get involved in another forever war — one whose wins and losses can’t be tallied with temporary “liberations” and body bag back orders.

Let’s be cautious, says Jack Goldsmith. Better yet, let’s be aware of the hypocrisy of the stance some government officials are demanding we take.

The lack of self-awareness in these and similar reactions to the Russia breach is astounding. The U.S. government has no principled basis to complain about the Russia hack, much less retaliate for it with military means, since the U.S. government hacks foreign government networks on a huge scale every day.

Turning a cyber war into a shooting war isn’t just an overreaction. It’s illegal under international law. That doesn’t mean nothing should be done about it. It just means the US government can’t pretend it doesn’t engage in the same activities some now want to go to war over. What’s happened here might be unprecedented in scale, but it’s the same thing every government with enough resources has done for years. It’s not a war waiting to happen. It’s business as usual.

Peacetime government-to-government espionage is as old as the international system and is today widely practiced, especially via electronic surveillance. It can cause enormous damage to national security, as the Russian hack surely does. But it does not violate international law or norms.

In recent years, the US government has deployed more offensive weapons in hopes of deterring cyber attacks. It really hasn’t worked. Meeting escalation with more escalation is unlikely to change the standard operating procedures of espionage, especially since the US government hasn’t rolled back its offensive efforts in the wake of massive breaches.

But there may be a way forward — one almost impossible to achieve but promising enough it shouldn’t be dismissed out of hand.

[The US government] has not seriously considered the traditional third option when defense and deterrence fail in the face of a foreign threat: mutual restraint, whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks. There are many serious hurdles to making such cooperation work, including precise agreement on each side’s restraint, and verification. But given our deep digital dependency and the persistent failure of defense and deterrence to protect our digital systems, cooperation is at least worth exploring.

There’s no moral high ground to claim here. And refusing to consider bringing some of our cyber boys back home leaves us with nothing but continuous escalation. This hack is raising uncomfortable questions about our own practices. Let’s see if anyone in the White House is willing to honestly confront the consequences of our own actions and find another route towards safety and national security.

Filed Under: , , , , , , , ,
Companies: solarwinds

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The SolarWinds Hack Is Just The Same Sort Of Espionage The US Government Engages In Every Day”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Hypocracy at it's finest

When WE do it’s just peachy but when someone else does it to US then it’s a crisis the likes of which our country has ever seen and grounds for war!

The US doesn’t hesitate to deploy these tactics against foreign governments and acts incensed when one of them responds in kind.

And of course parish the thought of us showing any kind of restraint when in reality we’ll just escalate further and doesn’t help our mindset apparently is pure offense and little defense if at all.

This comment has been flagged by the community. Click here to show it.

right says:

not buying it

i guess you assume this would work like the IRAN deal did… please don’t build nuclear weapons… if we say pretty please ? pretty please with sugar on it?

lets assume for a second that some great stupidity came down and everyone here suddenly decided – yes we will never attempt to gain intelligence via hacking.
are you going to sit there and honestly be that naive that everyone else will not?
russia ? really – personally think china and north korea are tied for that award as well.

Anonymous Coward says:

[The US government] has not seriously considered the traditional third option when defense and deterrence fail in the face of a foreign threat: mutual restraint,

There is also a forth option: hardening our critical systems against fallacious behavior, both accidental and malicious. (Of course I realize that even attempting to do this takes more balls than we can muster)

PaulT (profile) says:

"Sen. Marco Rubio (R., Fla)"

I’m not sure if it’s comforting that I keep seeing the same idiots spouting nonsense in a lot of stories (meaning that the majority of US politicians are actually competent administrators and not grandstanding morons), or if it’s depressing (because these people still keep getting elected).

"The 2050s will be like 1950s, apparently: with America in the midst of another Cold War."

What did people think MAGA meant? They pine for a time that never really existed outside of TV reruns, but they do remember the cold war and being able to dominate anyone who wasn’t a straight white male. Whether the fiction they pine for is Leave It To Beaver or Red Dawn depends on their age group, but both are probably wishing for wartime to return.

Anonymous Coward says:

Re: Re:

Efficiency is a very good reason unfortunately – good logistics win wars. Bad logistics put you in decline and lead to embarassing defeats. There are opportunity costs to everything.

Technically we could have armed motorcades transporting encrypted harddrives to prevent interception of messages. Practically that would be a massive needless expense which slows things down massively.

The sad part is that hardening these things wouldn’t be that difficult or inefficient – even just using flawed SSH and PPKI would be miles better than passwords. Have one set per user including administrators and nonoverwriteable only audit logs and you have nonrepudiation as the answer of who either fucked up or betrayed you is "the one whose keys were used for this illicit access".

ECA (profile) says:

May the Farce be with you

"deployed more offensive weapons in hopes of deterring cyber attacks."


IMO, this could of been caught before anything happened. As in Where in hell did that .DLL come from?
Setting up an outgoing monitor of the system. Where things get looked at, and a list of where things are going.
Machines that have access to the system are REGISTERED And DATA OUT also, only to REGISTERED systems.

Thinking a Club(not the one for cars) can stop a internet attack? Priceless.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...