The SolarWinds hackers could be in US government computers for a long time. Here’s our next move

On December 13, the US National Security Council acknowledged that there had been a major data breach of government entities, including the National Telecommunications and Information Administration (part of the Commerce Department) and the Treasury Department. In an analysis, the cybersecurity company FireEye said the breach was probably a “supply chain” attack involving a third-party vendor SolarWinds and that it likely began last spring. Days after the council’s report, then Secretary of State Mike Pompeo pointed the finger at Russia for perpetrating the attack.

The SolarWinds hack is problematic. Troves of data are now in Russian hands, including Microsoft’s source code. That information is not coming back, nor is there an easy fix for patching up the government’s systems. The SolarWinds attack, however, was not the first on US government systems. Another major publicly acknowledged attack occurred as recently as 2015, when hackers broke into the Office of Personnel Management and stole some 20 million personnel records. In addition to attacking government networks, the hackers behind the SolarWinds breach also stole sophisticated private-sector penetration testing tools from FireEye, a cyber-security firm, and other intellectual property.  Attackers have also done something like this before. In 2017, hackers leaked sophisticated hacking methods and tools from the US  National Security Agency.

We have seen versions of the SolarWinds story before; the problem is not new. In fact, at around the same time as Russian hackers allegedly broke into SolarWinds, Chinese hackers were allegedly doing the same thing, Reuters has reported.

Security experts and the Cybersecurity and Infrastructure Security Agency (CISA) are right: The government needs to either shut down or begin patching up and remediating the systems affected by the SolarWinds hack. But they are advocating an entirely reactive approach to government-backed hacks. While some may think that hackers eventually disappear from breached networks, they actually tend to linger for a long time. Hackers can stay in networks and steal data for months, or even years. When the Chinese People’s Liberation Army attacked US government entities in a hack dubbed “Titan Rain,” for example, the hackers strategically picked off targets from at least 2003 to 2006, stealing military flight planning software, among other products.

Cybersecurity specialists in government can continuously try to purge attackers from networks, often to no avail, or they can adopt a different strategy—one of endurance.

In the context of government cyber security, endurance is not about making it through a defined period without failing; the time horizon that an organization needs to endure attacks is infinite. The federal government, of course, needs to be constantly aware of any attackers and their potential to wreak havoc at any given time—the SolarWinds hackers apparently had been on the company’s network for months before the intrusion was detected. But pivoting to an endurance strategy would also mean the government would be doing more than just detecting intrusions; it would also be “embracing” the hackers in government networks, using their nefarious motivations against them.

In the military sphere, some of this is already happening. The US military’s cyber doctrine calls for extensive engagement with hackers.

General Paul Nakasone who leads the US Cyber Command and the National Security Agency established a strategy called “defend forward,” under which the Pentagon tries to meet hackers on their own turf. Defend forward was originally described in the 2018 Department of Defense Cyber Strategy as having the intention of halting malicious activity at the source. Ahead of being confirmed to his new post, US Secretary of Defense Lloyd Austin wrote that the defend forward policy involves developing insight about what adversaries are doing in cyberspace, helping organizations develop defenses, and, importantly, disrupting adversaries when necessary. While explicit public references to cyberattack disruptions are virtually non-existent, we know that the Defense Department and the National Security Agency have been protecting coronavirus vaccine research, for example, reflecting the active ethos of the defend forward policy.

Defend forward is the only reasonable way to deal with what the Center for Strategic and International Studies called “irregular warfare.” China, Russia, Iran, and the United States are constantly prodding and poking each other’s systems, networks, and data. The asymmetric nature of information operations—that is the scrappy, unpredictable, and varying tactics involved in cyber warfare–necessitates active engagement. Otherwise, the US government will be blind to an adversary’s capabilities and plans.

Given the inevitability of cyber confrontation among the United States and other cyber powers, a strategy of persistent, active engagement with an adversary’s networks makes perfect sense. Attackers are getting in US government networks and the government, likewise, cannot pause in engaging them.

In 2018, Bulletin of the Atomic Scientist Science and Security Board Member Herb Lin and I wrote about one controversial tactic that might fall within the defend forward strategy outlined by Nakasone. We wrote about the legality and merits of active cyber defense in the form of booby traps, an idea that currently resides in a legal grey area. The Computer Fraud and Abuse Act criminalizes gaining access to computers or exceeding one’s authorized level of access; “hacking back,” even against a malicious cyber actor, may not be totally street legal. But if it isn’t already doing so, the US government should configure such booby traps within its own networks.

Our idea aligns with the merits of a defend forward strategy along with the notion of cyber endurance. The strategy embraces attackers on government networks and uses the fact that they are present to the government’s advantage.

Here is a general way that laying a trap could work, one we outlined in our 2018 piece in Lawfare:

Consider a scenario in which a honeypot is deployed that attracts attackers interested in compromising B’s network and associated devices. When the attacker A implants himself in a honeypot system belonging to B, A’s tools are generally sending some data back to A’s home systems (e.g., reconnaissance data) and is using B’s resources to do so.

Under this set of facts, nothing should prevent B from corrupting some or all of the packets that are being sent back to A. The packets sent back to A won’t ever execute anything by themselves. But A will store and ultimately run queries on these corrupted packets—and depending on the methods used for these queries, they may cause some trouble in A’s machines.

Such a technique could be effective given that we know that hackers affiliated with the governments of Russia, China, and other countries are all inside the US government networks and continuously stealing data anyway. While I am sure there is already plenty of clickbait that adversaries will be attracted to on government networks, it wouldn’t hurt to increase the scent of the traps by giving them tantalizing names like: “pswd mgr,”“nukes,”or “dcryptky.” The attacker would feel like a kid in a candy store exfiltrating this data.

With cyber endurance in mind, cyber operators must change what they do after finding unusual activity on networks. Given that there will always be some background nefarious activity occurring, organizations need to choose the threshold for when background noise becomes serious enough to address—and more importantly, how to address it by engaging the hackers within their own network.

While some are calling the SolarWinds attack a wake-up call, I would encourage experts to see it as an argument for a cyber-endurance strategy. With the defend forward approach the US military is already thinking this way. Now the rest of the federal government should follow suit.