The webinar on Jan. 7 was almost guaranteed to be riveting. The subject was the recent Russian cyber attack. But it was the lineup that made it special: the CEO of the firm that uncovered the attack; the founder of a security startup that specializes in helping government agencies and businesses work with hackers to build stronger defenses; the U.S. senator who will soon chair the Intelligence Committee; and DOJ’s former top national security attorney as the session’s moderator.
Kevin Mandia. CEO of FireEye, started the ball rolling by explaining how his company discovered the malicious code in the SolarWinds software. But it was the last panelist to speak at the Aspen Institute webinar who suddenly commanded the spotlight. There was doubt that he would even make it to the event, which was called “A Moment of Reckoning: Understanding the Russian Cyber Attack.” That was because he had left a different “moment of reckoning” only hours earlier.
Senator Mark Warner (D-VA) had attended the joint session of Congress on Jan. 6 to affirm the electoral votes secured by President-elect Joe Biden. The assault on the Capitol that day delayed the process for hours, and it didn’t end until nearly 4:00 the next morning, about 10 hours before the webinar. The chaos and the emotional upheaval had left him shaken and angry. He felt compelled to address what he’d experienced, he said.
The previous night, when it was his turn to speak, he recalled breaking the rules by holding up a photograph. It was the front page of one of the German newspapers, and it showed “these thugs in the halls of Congress,” he said. “The images that have been conveyed around the world in the last 18 hours are a bigger goldmine and more priceless to Vladimir Putin than anything that Russia has obtained out of this intrusion.” He also complained about the president’s efforts to raise doubts about the attribution of the attack. As he has consistently done when Russia stands accused. “Obviously I’m pretty damn angry,” Warner said.
Warner also expressed gratitude to Kevin Mandia. He and his company are “patriots,” Warner said. If FireEye hadn’t devoted the time and resources to investigating and publicizing the attack, it’s unlikely anyone else would have. The reason they started investigating, Mandia explained, is that someone was logging in to their network the same way the other employees were logging in. Only he seemed to be using a second device. “Is this your second device?” they asked the employee. No, it wasn’t. That told them they had an intruder. Now they set out to learn how he’d gotten in. Searching for the earliest evidence of compromise, they kept coming back to a system that harbored the SolarWinds software. After they exhausted all the other forensic leads, they were ready to take the leap and decompile the software, reverse engineer it, and see if they could find the malware.
There were 14 gigabytes of files, 4,000 executable. They decompiled these into millions of lines of code, and found 4,000 lines that were malicious. “But it's not where you'd start,” Mandia emphasized. “And that's the key to this. There's no magical wand that finds backdoors in software that we all purchase and trust. And what led us to really do all that work was all the forensics, the thousands of hours of forensics we did prior in order to recognize that SolarWinds needed to be reversed.”
How Do You Establish Norms in Cyberspace?
Moderator John Carlin turned the conversation to the nature of the hack. Now chair of the Aspen Institute’s cyber and technology programs, and global chair of the risk and crisis management practice at Morrison & Foerster, Carlin asked what the motive seemed to be. Was it espionage? That was what he was thinking, he said. Or were they after information of economic value? Picking up on a subject that Warner had touched on, he asked: How do you establish norms in cyberspace?
Katie Moussouris had thoughts about norms, “since norms conversations have been in my purview.” The founder and CEO of Luta Security, Moussouris noted that she helped renegotiate the Wassenaar Arrangement for cyber export controls and cyber weapons, as part of the official U.S. delegation. “It feels to me,” she said “like we're in the decline of the digital Roman Empire, and we're trying to tell people that it's not okay to use elephants to cross the Alps. Meanwhile, they're using elephants to cross the Alps. And we will be overrun.” All countries are going to want to hold onto their right to gather intelligence, she continued. That’s a given. She added a tip for the senator. It’s not technology that needs to be regulated. “It's regulation of the behaviors and what you do with it, as opposed to the technology,” she explained. These are the norms that need to be taken up “in the next administration, the next Congress.”
Mandia agreed with her take on espionage. “Hard to have norms for espionage,” he said. But he saw opportunities in another area. “We can damn well have norms for ransomware. The whole world is sick of tolerating hospitals and pharma companies being ransomwared. And watching billions of dollars leave the United States and other Western nations.” He said such an initiative would unite an international effort to adopt a strong policy and take a hard stand. He called 2020 “without a doubt, the worst year for every chief information security officer in my 27 years of doing this, and it was driven by ransomware.” Going after it “will be invoking punishment against the very people that probably did the breach that we're discussing here today,” he added.
As to what the attackers were after, Mandia reported his own observations as the CEO of a victim company. Stage One: getting a backdoor in the victim’s network in the SolarWinds’ platform. Stage Two: using that backdoor to get to domain credentials and some kind of server that has user accounts and passphrases to access victim networks the same way the victim employees do. Stage Three: getting the token signing certs to access an Office 365 environment, probably for email, and likely specific people's email. Stage Four: depends on the victim company. At FireEye, the attackers stole their red team tools.
Convincing Companies to Report Breaches
One of the last topics the group took up was the limited number of companies that report attacks to the U.S. government. Warner suggested that the government is not in a position to respond effectively if it’s kept in the dark. Carlin noted that Alex Stamos, who is a member of his Aspen Institute cyber group, has called for the creation of the equivalent of the National Transportation Safety Board for cyber security. The information about an attack would go into a repository for study and avoid getting tied up in litigation, as Stamos said information from investigations about the hacks at Yahoo (where he worked) ended up.
A lot of companies are reluctant to report attacks out of fear that they suffered “from some level of cyber security hygiene negligence,” Moussouris said. They worry that they missed something, left something unsecured. If the government offered forgiveness in exchange for reporting, that could turn things around, she added. “But without that, I see no way that any organization would want to expose its internal flaws, its process failures, and its mistakes to a broad group.”
The problem with that, said Warner, is Equifax. Glaring errors become “the cost of doing business” for which there are no real consequences, he said. “Which in effect is what happened.” There were some penalties. “They took a hit for a while. A CEO lost his job. But 146 million Americans’ personal information was compromised by a foreign government,” Warner said. “That's not a good long-term solution.”
And Mandia? “There is a need for a federal disclosure law, ultimately having a safe harbor in that law,” he said. “To me, it's hard to prove negligence when you have a foreign power that attacks you.” It’s complicated, he added. “Maybe it depends on who attacks you that elevates or decreases your liabilities. Not all attacks are created equal. A lot of companies and regulated industries are expected to withstand greater attacks than other industries. If you make cupcakes for a living, you're not expected to be Fort Knox.
“It's a lot to sort out,” he acknowledged. “But I think you could start with: If there's an attack against an organization, and they disclose certain things in a certain way that helps the rest of the nation defend itself, and organizations across the world defend themselves, that should come with some sort of safe harbor. Or—to Katie's point—you’re not going to get a whole lot of folks doing disclosure.”