By Brock Burton
The United States was hit by yet another cyber-attack on 13 December. More accurately, the US was hit months ago and is only now discovering it. This most recent breach of the US’s cyber security has been entitled Sunburst and one can only hope it will shine a light on the US’s inability to take the cyber realm seriously. History says it will not.
SolarWinds, the Texas-based IT company whose software was hacked, says up to 18,000 customers may have been affected by the breach. This number includes a number of US government agencies including the Departments of State, Energy, and Defense, as well as the Treasury. While the focus of the hack appears to be the US government, it appears that business networks in the US, UK, Israel, and Canada were also spied upon.
Secretary of State Mike Pompeo was quick to place blame on Russia, stating that the hack bears all the hallmarks of Russia’s foreign intelligence service, the SVR. Russia denies the claim. While this was repeated by other senior US officials, President Trump attempted to downplay the significance of the breach and Russia’s involvement. Reciting his usual refrain of fake news, Trump claimed that it may have been China who committed the hack. He also used the breach as an opportunity to repeat the baseless claims that was the rightful winner of the election. He did so days after the electoral college voted to confirm Biden’s victory.
According to SolarWinds, the source of the breach was malicious code inserted into a routine update. The vulnerabilities such dependency on private actors creates have been revealed to the world by Sunburst. As the world has become increasingly reliant on technology, governments have realized they are ill-equipped to develop their own software or at least to compete with Silicon Valley. This software supply chain is difficult to secure.
Claiming this is a one-off incident is false. The USand its Western allies have repeatedly proven susceptible to hacking. The revelation of this breach, while months in the making, comes on the heels of warnings from the American and British governments that Russian and Chinese hackers were targeting Covid-19 vaccine research. IBM warned that cold chain management systems, used to ensure that Covid-19 vaccines requiring deep cold storage remained at proper temperatures during distribution, were being targeted by actors with nation-state level sophistication.
Like Sunburst, these efforts were aimed at gathering information rather than attacking infrastructure. However, the US Department of Energy has already warned that such vulnerabilities present real risks for critical infrastructure. The past three decades have seen regular and significant breaches of US cyber-security. China infamously obtained millions of US government employees’ personal information when it hacked the Office of Personnel Management in 2014. But from the Moonlight Maze hack of the 1990s, which acquired US military secrets, to the efforts targeting the Democrats during the 2016 election, Russia has proven to be America’s foremost enemy in all things cyber.
The US government paid particular attention to securing the country’s elections over the past four years after the 2016 election revealed their vulnerability. And under the Trump administration the military has invested increasing amounts into cyber-security. But Trump’s firing of Chris Krebs, the Director of the Cybersecurity and Infrastructure Security Agency responsible for such cyber-security, shows that the US’s cyber-security efforts are largely dependent on political factors. While the government’s security is dependent on private companies, the same companies are dependent on the government to pass legislation that allows both to effectively combat cyber-crime. Yet Trump has vetoed the National Defense Authorization Act (NDAA), which includes funding and reforms to reshape the structure of the nation’s cyber defenses. Whether the NDAA itself even goes far enough remains questionable.
It is tempting to blame such shortsightedness on Trump’s political goals, especially because it is likely the veto will be overridden in the days to come. In reality, it is par for the course. The US government has historically proven incapable of matching America’s peers in cyberspace. President-elect Biden has promised to prioritize cybersecurity during his term. Biden has stated that the US will respond in kind once the identity of the attackers is determined and has pointed a finger at Russia. This is in line with previous policy and espionage efforts carried out by the US, rather than a true transformation of cyber-policy. Merely allocating more money to the same old things will not counter cyber-attacks and espionage. The US needs to re-examine the foundations of its policies regarding cyberspace.
Calling Sunburst a declaration of war is an overstatement. There has been a Cold War raging in cyberspace for decades. Sunburst revealed how vulnerable the US is to the American political establishment. The US must transform its policies and capabilities in this critical area. However, it seems unlikely that either Trump or Biden will usher in such a revolution, each preferring the standard American response of throwing more money at the problem.
The views expressed in this article are the author’s own and may not reflect the opinions of The St Andrews Economist.