Why are we “struggling” to respond?

Yesterday, the Wall Street Journal published an article titled “Broad Cyberattack Linked to Russia Leaves U.S. Struggling for Response”.[i] Since non-subscribers won’t be able to read it (unless you want to sign up for a free trial), I will summarize its contents in my discussion. The article starts by saying:

1.      The attacks just damaged data – unlike for example NotPetya, which of course was also a Russian operation. NotPetya rendered computer hard drives forever unreadable. It inflicted damage to many organizations worldwide, including Mondelez, Merck and FedEx in the US. And it almost sank (pun intended) Maersk, the world’s largest container shipper.

2.      As such, they were not different in principle from spying, which governments have been doing ever since there were governments, although this was far bigger in scale.

3.      The article says “U.S. intelligence agencies engage in cyberspying all the time, although U.S. officials say they don’t generally conduct destructive attacks or steal intellectual property. Because traditional cyber espionage is typically considered fair intelligence activity by most countries—even, sometimes, among allies—retaliation or public condemnation isn’t usually an option that is considered.”

4.      The article continues “Others said the sheer breadth of the SolarWinds hack makes it different from traditional cyberspying. ‘The fact that this took place on such a massive scale sort of puts it in a different category,’ said John Dermody, counsel at the O’Melveny law firm and former deputy legal adviser at the National Security Council. The economic costs could be enormous, as companies scour their networks to determine whether the perpetrators installed additional malware, he said.”

But I think the above statements miss the real nature of this problem: The fact that the Russians have been in the affected networks for so long (at least since last June, and in some cases since March) means they have had plenty of time to exfiltrate massive amounts of data, but also to cover their tracks so that it will be quite hard, and in many cases simply impossible, to discover every nook and cranny where they’re hiding.

This in turn means that employees of the agencies that are known to have been penetrated, including DoE - some parts of DoD, DHS, the State Department, the National Nuclear Security Administration, FERC, at least a couple National Labs, and certainly more to be discovered - have to assume until further notice that Vladimir Putin is BCC’d on every email they send, and that he will be the first one to read any new document they create.

Some networks – especially the most sensitive ones – will need to be rebuilt from the ground up, but this is a tremendously expensive exercise. Other networks will have to be cleansed as much as possible and employees will just have to get used to their new world. What will be the effects of this new situation? It’s hard to say at this point, but it’s safe to say that probably a lot less work will get done, since a large percentage of federal government employees – traditionally risk averse in the best of situations - will no longer be willing to take any risks at all; this means that a lot of government processes will simply grind to a halt. In other words, even say five years from now we will have a much less functional government than we did before this week, to say nothing of one that holds very few secrets that the Russians don’t already know.

What to do about this? The article concludes:

James Lewis, a cybersecurity expert at the Center for Strategic and International Studies think tank, said that Washington should exact a penalty for the SolarWinds hack. He cited the Cyber Command’s Task Force ARES, which in 2016 disrupted Islamic State’s ability to communicate, spread propaganda and recruit for the terrorist network, one of the first instances of U.S. offensive cyberwarfare.

“You interfere with the opponents’ ability to conduct operations. You sit on their networks,” Mr. Lewis said. “We really have to take a look at taking some kind of action against the Russians.”

Thomas Bossert, whose article in the NY Times I discussed in my post on Thursday, said in today’s Washington Post:

“The United States can now direct its focus and unite the world against this outrage.” He said the Russian government is holding American networks at risk. “We must impose a cost on the Russians,” he said. “Until we start defending digital infrastructure as if commercial and government operations depended on it, we will remain rudderless.”

Well guess what? Commercial and government operations depend on it. So what do we do now?

I would say there are four possible types of response:

1.      Military. This would obviously be quite dangerous, since the US and Russia are both nuclear powers. It’s highly unlikely that we would take military action in response to a cyberattack, and rightly so.

2.      Kinetic cyberattack. For example, an attack on the Russian grid that would put a lot of people in the dark and might well result in a few deaths. There are some people who seem to think that we should respond to a kinetic cyberattack on our grid with one of our own – and it’s highly likely we’ve already planted malware in Russia’s grid, just like they’ve planted it in ours.[ii] However, I discussed in this post why that would be a very bad idea. Briefly, especially if we end up killing people in our attack, it’s very possible that Russia might respond militarily. And once we’re in the military realm, a single mistake might literally result in the end of Western civilization (and most of us with it!), as almost happened during the Cuban Missile Crisis of 1962 (see the post just referenced for the hair-raising story of that incident). But most importantly, the SolarWinds attack wasn’t a kinetic one.

3.      Non-kinetic cyberattack. This is an attack that affects information – most likely by exfiltrating it, but perhaps by destroying it. This is possibly “all” that happened in the SolarWinds attacks, although up until now there have been no reports of information being destroyed (and important information is probably backed up so many times and in so many places that it would be impossible to destroy it anyway). But if we had found a way to massively exfiltrate Russian data, why haven’t we done it by now? We wouldn’t wait for them to launch a huge cyberattack on us, since spying is something that governments have done on each other ever since there were governments.

4.      Something else.

What could that be? Individual sanctions have been applied to Russia before, but unless they target the people directly responsible for these attacks, the deterrence message will not be clear. However, further financial sanctions on Russia, beyond those already in place because of what he’s done in the Ukraine, especially ones that would bite his oligarch friends and their businesses, might inflict damage where it’s most needed.

In 2014, the US is widely believed to have caused a total collapse of North Korea’s internet access. Something along those lines – that would be widespread and perhaps cause a lot of Russians to wonder why they support this guy – would also be great. It doesn’t have to be immediate. Let’s plan it carefully before it happens.

And I can think of one way the US could cause serious pain to the individual most responsible for these attacks, one V. Putin. We can do that by releasing whatever information we have on his personal misdeeds. This includes:

1.      His financial assets. He’s estimated to be worth up to $200 billion, but it’s unlikely the CIA has documentation for all of that. Whatever evidence we have of any large assets – such as the approximately $1 billion mansion widely reported to have been built for him – should be laid out for the citizens of Russia to see.

2.      The bombings of five apartment buildings in Moscow in 1999. Putin was then prime minister, and his effective and deadly response to the bombings – which he blamed on Chechnya and which led to the Second Chechnya War, that pretty much leveled a lot of that country – led to his becoming president a few months later. And he’s been president in fact, if not always in title, ever since. There have been many accusations that Putin himself was behind the bombings, and at least a few people who investigated them were assassinated in subsequent years. Does the CIA have any information that hasn’t already been made public on these bombings? If so, this would be a great time to release it.

Putin is worried about his popularity in Russia, given that he didn’t handle the coronavirus well and there are huge questions about the vaccine that he rushed into production without adequate testing. Whatever we can do to make this problem worse would be great.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] The headline on the electronic copy is different from this. This is the headline on the physical copy in this morning’s paper. The article is mostly the same, though.

[ii] This was what the FBI, CIA and ONI said in the 2019 Worldwide Threat Assessment. There has been no reported investigation of that statement, whether classified or unclassified. And the administration avoided the whole embarrassing issue this year by not putting out a WTA at all. This is of course very reasonable: It’s much better not to let the American people know something about the threats they face, than to possibly say some bad things about Vladimir Putin. Of course, that’s the same dynamic going on in the current case.