Russian ‘Pearl Harbor’ is threat inflation of the worst kind
Over the course of the past decade, the United States has spent billions of dollars building a covert cyber warfare capability targeting Russia. In 2019 this capability was used to insert malware designed to threaten Russia’s power grid and other infrastructure. This statement of fact is a necessary preamble to the recent and ongoing drama surrounding the cyberattack on U.S. computer networks, which used a previously unknown exploit linked to software operated by SolarWinds, a Texas based company that develops software for businesses to help manage their systems and information technology infrastructure.
While the SolarWinds cyber-attack appears unprecedented in its scale, it did not occur in a vacuum. Rather, it must be assessed in the context of a broader cyber conflict that has been ongoing between the U.S. and Russia for years.
U.S. politicians such as Sen. Dick Durbin, a Democrat from Illinois, have likened the SolarWinds attack to “virtually a declaration of war by Russia on the United States,” that the U.S. should take seriously. The SolarWinds hack, however, was no “cyber Pearl Harbor,” a reference to a doomsday scenario floated by former Secretary of Defense Leon Panetta, who in 2012 spoke about an “aggressor nation or extremist group” that would use “cyber tools to gain control of critical switches,” which could enable them to “contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Instead, SolarWinds is the logical consequence of an America which has become so tangled up in the vitriol created by anti-Russian rhetoric that it is blind to the potential consequences of its actions.
Sometime in mid- to late-November, investigators working for FireEye, Inc., a cybersecurity firm servicing a number of high-profile commercial and government clients, began looking into the theft of stolen sensitive proprietary tools that the company uses to find vulnerabilities in its clients’ computer networks. The investigators quickly discovered that an entity had gained access to its network using “trojanized” updates to IT monitoring and management software distributed by SolarWinds. FireEye had determined that the attackers were exploiting VMware Access and VMware Identity Manager products to generate what are known as Security Assertion Markup Language (SAML) signing certificates that granted the attackers access to protected data from a number of victims, including a number of federal entities.
The National Security Agency (NSA) issued a cybersecurity alert on December 7, directing federal network administrators to undertake specific mitigation against the SolarWinds and VMWare intrusion. On December 13, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), determined that the intrusion “poses an unacceptable risk to Federal Civilian Executive Branch agencies” requiring “emergency action.”
While the potential for data compromise from the SolarWinds cyber attack is unprecedented, the actual damage done remains unknown. There is no evidence that the attackers conducted any offensive or destructive actions — i.e., deleting information or seeking to destroy or disrupt critical infrastructure. The real damage was the erosion of confidence in the very verification system — the issuance of SAML signing certificates — that served as the foundation of security for all network systems. The President of Microsoft, Brad Smith, in a statement released on December 17, called the attack “an act of recklessness that created a serious technological vulnerability for the United States and the world” that put at risk “the trust and reliability of the world’s critical infrastructure.”
Despite the lack of any formal attribution by either the U.S. government or any of the civilian entities involved in the Solar Winds attack, many officials and experts (including Attorney General Bill Barr and Secretary State Pompeo) have blamed the Russians. That is because they openly believe the hack to be the handiwork of what is known as Advanced Persistent Threat (APT) 29. By definition, an APT represents cyber tools and methodologies, and not individuals or groups. The specific linkage between these cyber activities and the intelligence services of Russia are still a matter of speculation based upon analysis of the countries and institutions targeted by actors using these tools and methodologies. There is, however, good reason to associate APT 29 with the Russian government.
In October 2014, APT 29 was assessed as being involved in a spear-phishing attack at the U.S. State Department. This attack was monitored by the Dutch intelligence services, which had penetrated a hacking team working in Moscow that employed malware and techniques associated with APT 29. The Dutch also had taken control of a security camera that monitored access to the room used by the hackers, enabling them to see the faces of those who went in and out of the room. In this manner, the Dutch were able to detect others who visited the room during the attack on the State Department. These visitors included known officers of the Russian Foreign Intelligence Service, or SVR.
In July 2015 both the FBI and NSA were reported to have been tracking intrusions into the server of the Democratic National Committee by APT 29. According to Edward Snowden, the NSA contractor-turned-whistleblower who leaked thousands of highly classified documents to news outlets in 2013, the NSA possessed an analytical tool, known as Xkeyscore, which enabled the real-time detection and monitoring of the 2015 cyber-attack on the DNC server. XKeyscore would have allowed the NSA to attribute the cyber intrusion of the DNC server to APT 29. Whether or not APT 29 is the culprit behind the SolarWinds cyber intrusion is not known at this time.
Russian attribution, however, is meaningless when examining the bigger picture of U.S.-Russian relations. Unlike the 2019 U.S. cyber-attacks on Russia, which were designed to inflict massive physical harm on that nation, the SolarWinds attack was a pure intelligence-gathering event which, had it remained undetected, would not have impacted the daily lives of America’s citizenry. Such an attack is the antithesis of a “Pearl Harbor,” which by its very nature would logically result in inescapable tragedy. The conflation of an intelligence operation into a life-or-death situation demanding decisive action highlights the separation between perception and reality, where perception assumes its own reality in the face of baseless doomsday projections that exist solely to inflame the passions of those inclined to believe them as true.
The domestic political nature of this crisis, where political actors broadcast alleged Russian successes (and, by extension, American failures) to gain political advantage over those whom they seek to paint as being weak on Russia, is underscored by the reaction of President-elect Joe Biden, who has indicated that he sees no signs that the Trump administration will have dealt with the SolarWinds cyber intrusion by the time he takes office next month. “The question of the damage done remains to be determined,” Biden said, noting that the attackers “can be assured that we will respond and probably respond in kind.”
The one-sided nature of Biden’s comments underscores the fact is that the SolarWinds cyber intrusion is more about domestic politics than it is about national security, where political differences have become weaponized by politicians who build up the threat posed by Russia on the one hand, and then criticize their political opponents for failing to take appropriate action in response to the potentially misleading narrative they have crafted. The consequences of such policy myopia, however, can, and will resonate internationally, as America’s warlike rhetoric runs the risk of generating a like-minded response from Russia.