from the ugly-and-inconvenient-truth dept
A historic hack of unprecedented scale has set off alarms in the US government — itself a target of suspected Russian hackers who leveraged IT infrastructure company SolarWinds’ massive customer base to compromise an unknown number of victims. Among those victims were several US government agencies, including the DHS’s cybersecurity wing, which announced its own breach hours after issuing a dire warning to potentially affected government agencies.
Is it time to panic? No, says the lame duck president, who claims this is already “under control” — something that very definitely isn’t true. SolarWinds says it has 18,000 customers using the affected Orion software. And many of those customers (which include Fortune 500 companies and major telcos/service providers) have thousands of customers of their own — all of which may be operating compromised systems. The DHS said the only way to ensure systems are clear of this threat was to airgap them and uninstall the infected software.
Others who have been briefed on the hack are far less cheery about its ongoing impact. Trump tweeted there was nothing to worry about. Republican allies seem more concerned than the man who won’t have to worry about this for much longer.
Shortly after Mr. Trump’s tweet, Sen. Marco Rubio (R., Fla), acting chairman of the Senate Intelligence Committee, said it was “increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history.”
Mr. Rubio added on Twitter that efforts to determine the extent and damage of the hack were ongoing and that remediation would take significant time and resources. “Our response must be proportional but significant,” he said.
The 2050s will be like 1950s, apparently: with America in the midst of another Cold War.
But is it true this is the “gravest cyber intrusion in our history?” Or is it just the “gravest” intrusion that’s targeted us? After all, the Russians don’t have a monopoly on government-ordained hacking. Our intelligence and security agencies deploy their own persistent threats — something we’ve done for years with minimal blowback. These calls for a cyber war by pundits and government officials aren’t anything to be applauded. I don’t think America really wants to get involved in another forever war — one whose wins and losses can’t be tallied with temporary “liberations” and body bag back orders.
Let’s be cautious, says Jack Goldsmith. Better yet, let’s be aware of the hypocrisy of the stance some government officials are demanding we take.
The lack of self-awareness in these and similar reactions to the Russia breach is astounding. The U.S. government has no principled basis to complain about the Russia hack, much less retaliate for it with military means, since the U.S. government hacks foreign government networks on a huge scale every day.
Turning a cyber war into a shooting war isn’t just an overreaction. It’s illegal under international law. That doesn’t mean nothing should be done about it. It just means the US government can’t pretend it doesn’t engage in the same activities some now want to go to war over. What’s happened here might be unprecedented in scale, but it’s the same thing every government with enough resources has done for years. It’s not a war waiting to happen. It’s business as usual.
Peacetime government-to-government espionage is as old as the international system and is today widely practiced, especially via electronic surveillance. It can cause enormous damage to national security, as the Russian hack surely does. But it does not violate international law or norms.
In recent years, the US government has deployed more offensive weapons in hopes of deterring cyber attacks. It really hasn’t worked. Meeting escalation with more escalation is unlikely to change the standard operating procedures of espionage, especially since the US government hasn’t rolled back its offensive efforts in the wake of massive breaches.
But there may be a way forward — one almost impossible to achieve but promising enough it shouldn’t be dismissed out of hand.
[The US government] has not seriously considered the traditional third option when defense and deterrence fail in the face of a foreign threat: mutual restraint, whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks. There are many serious hurdles to making such cooperation work, including precise agreement on each side’s restraint, and verification. But given our deep digital dependency and the persistent failure of defense and deterrence to protect our digital systems, cooperation is at least worth exploring.
There’s no moral high ground to claim here. And refusing to consider bringing some of our cyber boys back home leaves us with nothing but continuous escalation. This hack is raising uncomfortable questions about our own practices. Let’s see if anyone in the White House is willing to honestly confront the consequences of our own actions and find another route towards safety and national security.