Hacking into a number of U.S. government agencies and the private sector, U.S. intel officials point all fingers at Russia, when, in fact, they have no clue what happened. What the government knows for sure is that hackers from somewhere inserted malicious code into updates for the ubiquitous, Austin, Texas-based SolarWinds computer network program, that comes with powerful cybersecurity guarantees. While everyone in Congress jumps up-and-down blaming Russia, the real blame should go to SolarWinds who sells a so-called secure platform that, in fact, that leaks-like-a-sieve when it comes to computer hackers. Many U.S. agencies, including the Treasury, Agriculture, Commerce and Energy departments spent billions on SolarWinds network management programs only to find out they’re not secure. Cyber-crime and hacking are a fact of life in the computer software industry.
Before elected officials beat the war drums, they should take a hard look at what’s wrong with multibillion dollar purchases of network management programs that lack adequate cyber-security protections. Whatever the hacker’s origin, whether a state-sponsor or private enterprise, U.S. officials should take a deep breath. Calling the hack “virtually a declaration of war,” Sen. Dick Durbin (D-Ill.), shows what’s wrong with elected officials that don’t know the difference between acts of war and espionage. Corporate and state-sponsored espionage is a fact of life in practically every industry on the planet, let alone between sovereign states. “America must retaliate, and not just with sanctions,” said Sen. Marco Rubio (R-Fl.), not knowing at whom to retaliate, assuming that 68-year-old Russian President ordered the attack. U.S. intel officials must consider that a rogue cyber-terrorist group could have performed the hack.
U.S. intel officials say Russia’s foreign intelligence service [SVR] spread the malicious code to the SolarWinds network management software on a routine update, meaning, that the hack occurred with Texas-based SolarWinds Corp. Rubio’s comments were especially disturbing because they violate the U.N.’s definition of an “act of war.” “Warfare implies violence, death and destruction,” said Duncan Hollis, Temple University cyber-security professor, by no means the last word of cyber-crime. “Simply stealing information, as much as we don’t like it, is not an act of war—it is espionage,” said Benjamin Freidman, policy director as Defense Priorities think tank. Focusing only the hack takes the blame off SolarWinds, whose software was compromised not by Russia or some other cyber-criminal but the lack of adequate security safeguards expected of costly computer software.
Instead of Capitol Hill lawmakers focused on whether the hack is an act of war or espionage, they should ask SolarWinds Corp. what went wrong that malicious code was inserted into their contaminated software update. “It may simply be a massive act of espionage that would not constitute and act of war. We don’t know yet whether the Russians simply assessed U.S. government computers or actually disrupted government functions,” said John Bellinger, senior fellow at Council on Foreign Relations, former State Department Lawyer under former Secretary of State Condoleeza Rice. All 78-year-old President-elect Joe Biden needs before he takes office are calls for war against the Russian Federation. With Russia denying the charges, U.S. intel agencies can only surmise the origin of the attack. But it’s entirely possible, even if they trace the hack to St. Petersburg, Russia, that it’s a rogue operation.
SolarWinds’ 54-year-old CEO Kevin B. Thomson has a lot of explaining to do how he could sell top-security government software that was easily penetrated by foreign actors. Inserting code into a routine software update is outrageous when you consider that the foreign actor didn’t hack into the government computers directly but exploited a weakness in SolarWind’s network management software. “I think there’s a difference between an act of espionage, which we conduct as well, and other nations do, versus an attack,” former Director of National Intelligence James Clapper said in 2015 in Congressional testimony following a Chinese hack. However experts debate the issue of espionage v. an act of war, it’s outrageous the U.S. lawmakers are talking about military retaliation against the Russian Federation. Getting Thomson to explain what went wrong with their software would be a good start.
Beating the war drums on Capitol Hill does nothing to stop future hacking attacks whatever the source. Whether believed or not, Russian President Vladimir Putin emphatically denies that the Russian Federation hacked into U.S. government computers. What’s known for sure is that SolarWinds network management software was infected with malicious code that allowed hackers to rummage around in government computers. No one knows the extent of the security breach, other than knowing that SolarWinds software was not protected from cyber-crime. “We know that lots of countries engage in espionage, and we don’t bomb them in response,” Friedman at Defense Priorities. “They’ll be held accountable,” Biden told CBS Late Night host Stephen Colbert. “Individuals as well as entities will find . . . there are financial repercussions for what they did,” promising consequences.
