Australia must do more to prepare for a SolarWinds-style supply-chain attack
22 Dec 2020|

The Australian government’s 2020 cyber security strategy is overwhelmingly focused on increasing the cybersecurity efforts of the defence organisation and law enforcement agencies. The mounting crisis in the United States from the hacking of software company SolarWinds indicates that this is not enough.

On 12 December, cybersecurity firm FireEye announced it had detected an alleged Russian cyberattack that had compromised the monitoring and management software on SolarWinds’ commonly used Orion network to get access to victim organisations—potentially 18,000 of them. The US National Institutes of Health and the departments of Treasury, Commerce, Homeland Security and State are reported to be among the victims.

This looks to be an extremely successful campaign, but haven’t we seen this all before?

Operation Cloud Hopper was a years-long Chinese Ministry of State Security campaign that compromised managed service providers, or MSPs, to gain access to their clients. MSPs provide remote IT services to their clients and generally have close to total control of client IT systems, so hacking into a single MSP can provide the master keys to many victim companies. Cloud Hopper affected more than a dozen MSPs and there were possibly hundreds of victim companies.

The response of Western governments was a coordinated denouncement of the activity by the Five Eyes partners (Australia, Canada, New Zealand, the UK and the US), along with Germany, Japan and other allies. The US Department of Justice issued indictments for two of the hackers, and more recently, the EU imposed sanctions.

The relative strength of the response to Cloud Hopper, the most robust combined diplomatic effort in reaction to a cyberattack to date, didn’t deter the SolarWinds perpetrators.

What other approaches should we be taking? The strategies espoused by the US Cyber Command could be a good place to look.

USCYBERCOM is responsible for defensive and offensive cyber operations. Its vision document states that it wants to maintain superiority in cyberspace and introduces the concepts of ‘persistent engagement’ and ‘defending forward’. The command aims to disrupt and deter adversaries by engaging and contesting them wherever they are on the internet. During the 2018 US midterm elections, for example, USCYBERCOM booted a Russian troll factory off the internet, and in the lead-up to the 2020 election it worked with overseas partners in ‘hunt-forward operations’ where it aimed to ‘take down the archer rather than dodge the arrows’.

Does the success of the SolarWinds supply-chain hack despite the efforts of USCYBERCOM invalidate the defend-forward and persistent-engagement model?

No.

The strategies imply, at least to some degree, the use of offensive cyber operations for pre-emptive defence (offensive cyber operations are those that disrupt, degrade or destroy). And offensive cyber operations are effective—during the Covid-19 pandemic they have been used by both Australia and the UK to disrupt disinformation and criminal operations, and in October USCYBERCOM disrupted the Trickbot botnet.

The acknowledgement of these types of operations by governments indicates they are increasingly comfortable with justifying them, both internally and publicly, as worthwhile and effective. In addition, ransomware (the criminal version of offensive cyber operations) is so effective that it’s threatening to undermine the cyber insurance market.

But although disruptive cyber operations are effective and the public portrayal of organisations like USCYBERCOM and the US National Security Agency makes them appear omniscient, the reality is that these organisations have limited resources and competing requirements and have to strictly prioritise their efforts. No doubt the highest priority of US intelligence agencies in the past nine months was ensuring the integrity of the 2020 election.

In other words, the approach is effective, but even well-resourced intelligence agencies can’t know everything.

The SolarWinds campaign has been described as particularly stealthy, and the malware the attackers used lay dormant for weeks prior to activating itself. This kind of strict operational security comes with both benefits and costs.

On the one hand, tight operational security, or OPSEC, allows operations to continue undetected, and therefore produce an ongoing stream of intelligence. And the Russian state absolutely has an enduring interest in what is occurring in the US government. If it could, Moscow would like to retain access to the US State Department forever.

On the other hand, strict OPSEC greatly slows the speed of intelligence collection, as the intelligence benefits of each action have to be weighed against the risk of discovery. Good OPSEC tends to increase the duration of an intelligence operation (because you don’t get detected), but it can paradoxically limit the scale and scope of the data collected (at least in the short term, assuming somewhat competent defenders).

Importantly, the approach used in the SolarWinds campaign—strict OPSEC—is consistent with effective use of the strategies of persistent engagement and defending forward. To be clear, it is also consistent with the hackers simply trying to avoid being detected. But, on its own, the SolarWinds campaign is not a repudiation of persistent engagement.

But if deterrence via diplomacy, indictments and sanctions has failed, and defending forward is at best an incomplete solution, what other avenues should we pursue?

First, we should recognise that forcing an adversary to make its operations more stealthy is a form of success. Operations without any consideration for OPSEC can rapidly gather huge amounts of data—because cyber operations can be either faster or quieter, not both at the same time.

Second, we need to put far greater emphasis on raising security across the entire economy. The Australian government has rightly focused on protecting a relatively broad definition of critical infrastructure, but it needs to do much more to encourage the rest of Australia’s businesses to increase their cybersecurity.

When critical infrastructure is a hard target, criminals and states will find other, easier ways to attack us that achieve similar effects. The government and law enforcement cannot possibly conceive of, discover and combat every single threat. We need to empower and encourage businesses and the community to protect themselves.

One positive development would be providing regulators with real teeth. The Australian Prudential Regulation Authority has indicated it will be taking a far more robust approach after it found that too many boards either don’t understand their true cyber risk or fail to tackle that risk as urgently as they should.

But APRA deals with just a small, albeit important, sector in the Australian economy. Other bodies, such as the Office of the Australian Information Commissioner, the Australian Securities and Investments Commission, and even the Australian Competition and Consumer Commission, should be funded to prosecute cases in which poor cybersecurity practices are identified.

Cybersecurity programs focused on the defence and law enforcement sectors, by themselves, will not protect us from attacks like the one on SolarWinds. We need to do much more to encourage action across the entire economy.