Has Russia just been caught hacking the controls for US Nukes?

Solar Winds, the NNSA, and the long history of digital supply chain risk. Why this is bad, but it could be worse.

Solar Winds Image.jpg

It’s so close to Christmas. The folks at the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) should be looking forward to calmer seas ahead after the passing of the storm clouds that was the US presidential elections. Yes, CISA might have seen the politicised dismissal of its architect and respected guru Chris Krebs (and a number of resignations following this), but at these those times are finally past. The EU has finally published its updated Cyber Strategy . They too should be patting themselves on the back and looking forward to food, good cheer (socially distanced), and alcohol (in liberal quantities). Instead all of that is up in the air and I find myself writing a blog post while I’m meant to be on leave.

Why, you ask am I motivated to write this blog when I should be enjoying mince pies, Michael Bublé, and schnapps? Simple, having spent this morning taking in various news reports and scrolling through twitter debates on the Solar Winds hack I couldn’t restrain myself any longer. The title of this blog might seem a little… click baity. So, let’s be clear. No, Russia has not been caught red handed hacking into the NC3 of the US nuclear arsenal. After news broke that the growing list of departments, companies, and agencies compromised by this hack now includes the US Federal Energy Regulatory Commission (FERC) and the National Nuclear Security Administration (NNSA) there have arrived on the scene a number of poorly worded articles and interviews that insinuate that the latter means that it is possible, maybe even likely, that malicious actors have gained access to US NC3.

So, what are the facts and what does this mean? Firstly, the festive period is likely ruined for federal agency workers across the US and for CISOs (Chief Information Security Officers) the world over. This hack circumvented the much vaunted and incredibly costly Einstein cyber defence system that was meant to protect against this exact kind of risk. Einstein was designed to deal with known methods of network penetration and exploitation. As with many machine learning systems it appears that it was unable to detect an intrusion that utilised a novel approach . On top of this Einstein is not deployed to the protection of the private sector, not even companies that provide critical services or tools to the US government. The dependency of national security upon the private sector as a result of the growing reliance of networked technologies is a long established and recognised dynamic. And yet, this incident has only occurred as a result of insecure digital supply chains. The compromise of Solar Winds allowed the perpetrators to hitch a ride into what should be some of the most secure networks on the planet posing as a perfectly legitimate update.

It turns out that Solar Winds network management tools are quite popular in federal agencies (and FTSE 500 companies). This popularity has likely contributed to the breadth of access that this means of access has granted its perpetrators – cue thoughts for another blog on the digital supply chain risks of [near]monopolies. According to Fire Eye, the group that seem to have been first to discover this incident, the group who have turned Solar Wind’s Orion network management plug-in into what could be the most effective Trojan horse since the original article saw the end of Troy quickly set about spreading laterally through connected networks and working to make their removal harder.

Lateral spread within networks refers to the ability of intruders to gain access to and/or control of systems and networks that are connected to their initial point of ingress. In the case of a highly interconnected network, such as the US government, that means that if your initial point of entry is central enough, and that you can gain a sufficiently high network credentials you can reach networks far beyond the point which you started. A second priority, beyond lateral spread, for cyber-espionage campaigns is to deploy persistence mechanisms. These are designed to make it harder for intruder’s access to networks to be revoked if any part of their activities are detected. Christmas is certainly cancelled if you work for CISA. While Fire Eye, Microsoft, and others may have now managed to effectively close the opening that initially allowed the perpetrators of this intrusion access it will be a much longer, more complex job to assess just how much they gained access to and remove any subsequent malware or other persistence measure that they deployed through that hole.

But what does this mean for the NNSA and risks to nuclear NC3? The risks of diverse supply chains for security infrastructure have long been known, if not fully appreciated, by the US. While we cannot say for certainty, due to the nature of these systems, it is highly likely that any part of NC3 is subject to far stricter access controls and separation from other networks. The likelihood of lateral movement from the NNSA or any other federal agency into these systems is remote. There are however, serious strategic questions to be asked as a result of this incident. Are cyber norms and current legal frameworks sufficient to encourage and enforce good state practice in cyber space? What does this mean for cyber defence programs, such as the much-vaunted Einstein? Can the US legitimately claim to be attacked or respond as if it has been when this incident bears remarkable similarity to what is likely being done as part of the US strategy of defending forwards in cyber space? Defending forwards has been a relatively transparent and key component of US cyber strategy, involving the penetration of foreign networks in order to be able to gain pre-emptive knowledge of and defend against hostile actions that could target the US.

These are questions that the Biden administration is going to have to address, and quickly. But for now, when you’re issuing a sigh of relief as you finish work today for Christmas, spare a thought for the poor members of CISA who will be sorely lacking in festive cheer.