Last Thursday, I had to issue one
of the first apologies I’ve made in the eight years I’ve been writing this blog.
I did that because…well, I screwed up. You can read the post, but the upshot is
that I mistakenly assumed that JetBrains – a very successful software company
with a big following and a great reputation – had been used to breach some of
their customers, including SolarWinds.
JetBrains was founded by three
Russians and still has a large presence in Russia. Without going back to read the
New York Times story about them – or the post I wrote based on that story
– I wrote that their software had been used to attack their customers, when in
fact the story had just wondered whether that might have happened; it didn’t
say it had happened[i].
Here’s a thought exercise: If JetBrains
had been founded by for example three Laotians, would I have been so quick to make
that statement? I’ll admit it – I wouldn’t have. I’ve never thought of myself
as being prejudiced against Russian companies, but clearly I must be. Of course,
the Russian government – and various criminal groups they’re allied with – has
done some pretty bad things to us and to other countries around the world,
including in the cyber realm. But it’s a big leap from acknowledging that fact
to saying that Russian tech companies shouldn’t be trusted, until some evidence
appears that a particular Russian company is in fact not trustworthy.
I’ll be much more careful to avoid
this mistake in the future. But I’m not actually writing this post to preach an
uplifting moral message. Something else important happened last week that
relates to this subject of unfairly targeting companies with ties to countries
whose governments are untrustworthy: President Biden put the May 1 Executive
Order on hold for 90 days. I sincerely hope he will send it to a well-deserved
grave after that. And I also hope that DoE’s follow-on Order from December will
also be sent to sleep with the fishes.
I don’t usually brag that I was
right all along, but I’ll say it now: I was right all along. In a post the day after the EO was published, Kevin Perry and I made
it quite clear: “…the order is a huge mistake. It will end up making the BPS
much less secure, rather than the other way around.”
Four days later, when Kevin and I
had time to think through the EO and what it meant, we put out another post entitled “What exactly is the goal of this Executive
Order, anyway?” In that post, we pointed out that, of the 25-odd devices
targeted by the EO, only three of them are operated by a microprocessor. Yet according
to the EO, all of them are subject to a cyberattack. I pointed out that my $10 steam
iron is just as subject to a cyberattack as those devices are – in other words,
not at all (and this includes transformers, which were by far the biggest focus
in press discussions of the EO, yet which are operated solely by the laws of
physics – not by any microprocessor. The last time I checked, the Chinese haven’t
yet figured out a way to bypass the laws of physics).
I wrote at least 8-10 other posts pointing
out this and other problems with the EO. I once characterized it as “a non-solution
to a non-problem”. I stand by that characterization.
However, last week I made the same
mistake as the EO, although fortunately on a much smaller scale. I
unconsciously assumed that any software that came from Russia is likely to
carry malware or a backdoor meant to undermine American industry. The EO
assumed that anything that came from, or was associated with, certain countries
was by that fact alone likely to be dangerous.
Of course, the one country the EO
was aimed at was China. Even though DoE later produced a list of five other
countries that the EO would apply to – Iran, North Korea, Russia, Venezuela (!),
and Cuba – none of those countries sells grid control systems to the US or is
at all likely to do so in the foreseeable future. And, as Kevin and I pointed
out in our second post linked above, the only system components that
China even assembles (let alone sells) are motherboards for servers and
workstations sold by Dell and HP. Since there’s no way the Chinese factories
assembling those servers know whether they’re destined for an electric utility
in California or a dry cleaner’s in Kansas, they simply can’t be the vector for
a supply chain cyberattack on the US grid.
There’s an even bigger reason why the
EO made no sense: It assumed that the Chinese government has every incentive in
the world to want to launch a supply chain cyberattack that takes out a large
portion of the US power grid, and that any patriotic Chinese company would be
more than willing to help them accomplish this goal (or would at least not be
able to resist the considerable pressure the government could bring to bear on
them to cooperate).
But why would a Chinese company
that has made great efforts to build up market share in the US throw all of
that away by participating in a supply chain attack on the US grid? After such
an attack – especially one that involves hardware (the EO mentioned nothing
about software) – it would be ridiculously easy to find out what device led to
the attack. It’s just about certain that any company found to have been a
vector for the attack would be banned from selling anything in the US ever
again, and probably in any Western country as well. In other words, it would
probably be a death sentence for the company. Yet the EO assumes that any Chinese
company would be easily persuaded to participate in a massive supply chain
attack on the US grid.
And why would the Chinese
government itself be dead set on launching a devastating supply chain attack on
the US power grid? Again, unlike non-supply chain cyberattacks, where nowadays
the entry point is usually a phishing email that could have come from anywhere,
in a supply chain attack (again, especially a hardware one), there’s no question
what government might be behind it: the government of the country of origin of
the hardware, or perhaps the government of the country where the vendor is
located.
Moreover, there’s almost no
question that a big grid outage caused by a supply chain attack would be
considered an act of war, leading to a military response. And once you have two
nuclear powers start down the military path, even if it’s non-nuclear at first,
it’s very possible that someone will make a mistake or get carried away, so
that within an hour or two you’ll have lots of dead people in both countries,
no matter which side ultimately declares “victory”. If you don’t believe this
could happen, just ask the late Vasily
Arkhipov, the Soviet naval officer whose single decision during the Cuban
missile crisis in 1962 probably saved the world (or at least the USSR and the
US) from total destruction.
So is it really likely the Chinese
government would even entertain the thought of a massive supply chain attack on
the US grid? Of course not.
And suppose we were to take action
like what was contemplated in the EO (and will be realized to a more limited
extent if DoE’s December supply chain order doesn’t get rescinded), and ban all
grid hardware and/or software that “originates” in Russia or China (or both) –
or is sold by a Russian or Chinese-owned or influenced company? Who would be
the real losers in that event?
Of course, one class of losers
would be the Russian or Chinese companies that would lose a lot of business due
to this decision, in spite of their actual innocence. But the bigger class of
losers would be US-based organizations that would normally use the software or
hardware that was banned. After all, JetBrains didn’t get a huge market share among
software developers by being just one among many options – they did it by
offering an excellent product. Preventing US software developers from buying
JetBrains because the company was “Russian influenced” would be just about the
same as imposing a tax on those developers, equal to the presumably substantial
difference in productivity between using JetBrains and using the next best
competitor (as well as the transition costs, of course, which would also be
considerable).
At this point, I would normally make
fun of the people who wrote the EO and even entertained the idea that it was
likely that China would be so foolish as to try to launch a supply chain attack
on US infrastructure – if I hadn’t done the same thing myself about a week ago,
when I wrote the post
that included a statement that assumed Russia would be happy to do the same
thing.
So I can’t say I’m more virtuous
in this regard, but I will say I hope the idea that nation states are in
themselves a serious threat for a supply chain attack caused by planting
malware or a backdoor in a software or hardware product destined for the US
gets buried along with the EO itself. Sure, it’s good to know where hardware
products are made and who sells them (although the idea that software is “developed”
anywhere in particular is just about meaningless nowadays) – since there are
lots of considerations besides cybersecurity for which such information is
important (e.g. you may be concerned about the legal environment of the country
where the supplier is located, in case an issue arises that would require legal
action).
But only a fool would base their judgment
of a software or hardware product’s level of cybersecurity on where it came
from, or onthe nationality of the
company that made it. Just ask the fools that wrote the EO. Or the fool that
had to apologize to JetBrains.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] It
doesn’t justify my mistake, but I think even writing the Times article
was a mistake. After all, why even speculate about whether software from a
Russian company is backdoored? Why not also speculate about whether all vodka
coming from Russia is poisoned?
No comments:
Post a Comment