Russia on my mind

Last Thursday, I had to issue one of the first apologies I’ve made in the eight years I’ve been writing this blog. I did that because…well, I screwed up. You can read the post, but the upshot is that I mistakenly assumed that JetBrains – a very successful software company with a big following and a great reputation – had been used to breach some of their customers, including SolarWinds.

JetBrains was founded by three Russians and still has a large presence in Russia. Without going back to read the New York Times story about them – or the post I wrote based on that story – I wrote that their software had been used to attack their customers, when in fact the story had just wondered whether that might have happened; it didn’t say it had happened[i].

Here’s a thought exercise: If JetBrains had been founded by for example three Laotians, would I have been so quick to make that statement? I’ll admit it – I wouldn’t have. I’ve never thought of myself as being prejudiced against Russian companies, but clearly I must be. Of course, the Russian government – and various criminal groups they’re allied with – has done some pretty bad things to us and to other countries around the world, including in the cyber realm. But it’s a big leap from acknowledging that fact to saying that Russian tech companies shouldn’t be trusted, until some evidence appears that a particular Russian company is in fact not trustworthy.

I’ll be much more careful to avoid this mistake in the future. But I’m not actually writing this post to preach an uplifting moral message. Something else important happened last week that relates to this subject of unfairly targeting companies with ties to countries whose governments are untrustworthy: President Biden put the May 1 Executive Order on hold for 90 days. I sincerely hope he will send it to a well-deserved grave after that. And I also hope that DoE’s follow-on Order from December will also be sent to sleep with the fishes.

I don’t usually brag that I was right all along, but I’ll say it now: I was right all along. In a post the day after the EO was published, Kevin Perry and I made it quite clear: “…the order is a huge mistake. It will end up making the BPS much less secure, rather than the other way around.”

Four days later, when Kevin and I had time to think through the EO and what it meant, we put out another post entitled “What exactly is the goal of this Executive Order, anyway?” In that post, we pointed out that, of the 25-odd devices targeted by the EO, only three of them are operated by a microprocessor. Yet according to the EO, all of them are subject to a cyberattack. I pointed out that my $10 steam iron is just as subject to a cyberattack as those devices are – in other words, not at all (and this includes transformers, which were by far the biggest focus in press discussions of the EO, yet which are operated solely by the laws of physics – not by any microprocessor. The last time I checked, the Chinese haven’t yet figured out a way to bypass the laws of physics).

I wrote at least 8-10 other posts pointing out this and other problems with the EO. I once characterized it as “a non-solution to a non-problem”. I stand by that characterization.

However, last week I made the same mistake as the EO, although fortunately on a much smaller scale. I unconsciously assumed that any software that came from Russia is likely to carry malware or a backdoor meant to undermine American industry. The EO assumed that anything that came from, or was associated with, certain countries was by that fact alone likely to be dangerous.

Of course, the one country the EO was aimed at was China. Even though DoE later produced a list of five other countries that the EO would apply to – Iran, North Korea, Russia, Venezuela (!), and Cuba – none of those countries sells grid control systems to the US or is at all likely to do so in the foreseeable future. And, as Kevin and I pointed out in our second post linked above, the only system components that China even assembles (let alone sells) are motherboards for servers and workstations sold by Dell and HP. Since there’s no way the Chinese factories assembling those servers know whether they’re destined for an electric utility in California or a dry cleaner’s in Kansas, they simply can’t be the vector for a supply chain cyberattack on the US grid.

There’s an even bigger reason why the EO made no sense: It assumed that the Chinese government has every incentive in the world to want to launch a supply chain cyberattack that takes out a large portion of the US power grid, and that any patriotic Chinese company would be more than willing to help them accomplish this goal (or would at least not be able to resist the considerable pressure the government could bring to bear on them to cooperate).

But why would a Chinese company that has made great efforts to build up market share in the US throw all of that away by participating in a supply chain attack on the US grid? After such an attack – especially one that involves hardware (the EO mentioned nothing about software) – it would be ridiculously easy to find out what device led to the attack. It’s just about certain that any company found to have been a vector for the attack would be banned from selling anything in the US ever again, and probably in any Western country as well. In other words, it would probably be a death sentence for the company. Yet the EO assumes that any Chinese company would be easily persuaded to participate in a massive supply chain attack on the US grid.

And why would the Chinese government itself be dead set on launching a devastating supply chain attack on the US power grid? Again, unlike non-supply chain cyberattacks, where nowadays the entry point is usually a phishing email that could have come from anywhere, in a supply chain attack (again, especially a hardware one), there’s no question what government might be behind it: the government of the country of origin of the hardware, or perhaps the government of the country where the vendor is located.

Moreover, there’s almost no question that a big grid outage caused by a supply chain attack would be considered an act of war, leading to a military response. And once you have two nuclear powers start down the military path, even if it’s non-nuclear at first, it’s very possible that someone will make a mistake or get carried away, so that within an hour or two you’ll have lots of dead people in both countries, no matter which side ultimately declares “victory”. If you don’t believe this could happen, just ask the late Vasily Arkhipov, the Soviet naval officer whose single decision during the Cuban missile crisis in 1962 probably saved the world (or at least the USSR and the US) from total destruction.

So is it really likely the Chinese government would even entertain the thought of a massive supply chain attack on the US grid? Of course not.

And suppose we were to take action like what was contemplated in the EO (and will be realized to a more limited extent if DoE’s December supply chain order doesn’t get rescinded), and ban all grid hardware and/or software that “originates” in Russia or China (or both) – or is sold by a Russian or Chinese-owned or influenced company? Who would be the real losers in that event?

Of course, one class of losers would be the Russian or Chinese companies that would lose a lot of business due to this decision, in spite of their actual innocence. But the bigger class of losers would be US-based organizations that would normally use the software or hardware that was banned. After all, JetBrains didn’t get a huge market share among software developers by being just one among many options – they did it by offering an excellent product. Preventing US software developers from buying JetBrains because the company was “Russian influenced” would be just about the same as imposing a tax on those developers, equal to the presumably substantial difference in productivity between using JetBrains and using the next best competitor (as well as the transition costs, of course, which would also be considerable).

At this point, I would normally make fun of the people who wrote the EO and even entertained the idea that it was likely that China would be so foolish as to try to launch a supply chain attack on US infrastructure – if I hadn’t done the same thing myself about a week ago, when I wrote the post that included a statement that assumed Russia would be happy to do the same thing.

So I can’t say I’m more virtuous in this regard, but I will say I hope the idea that nation states are in themselves a serious threat for a supply chain attack caused by planting malware or a backdoor in a software or hardware product destined for the US gets buried along with the EO itself. Sure, it’s good to know where hardware products are made and who sells them (although the idea that software is “developed” anywhere in particular is just about meaningless nowadays) – since there are lots of considerations besides cybersecurity for which such information is important (e.g. you may be concerned about the legal environment of the country where the supplier is located, in case an issue arises that would require legal action).

But only a fool would base their judgment of a software or hardware product’s level of cybersecurity on where it came from, or  onthe nationality of the company that made it. Just ask the fools that wrote the EO. Or the fool that had to apologize to JetBrains.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] It doesn’t justify my mistake, but I think even writing the Times article was a mistake. After all, why even speculate about whether software from a Russian company is backdoored? Why not also speculate about whether all vodka coming from Russia is poisoned?