Guest post: Kurt Sanger on “The ‘SolarWinds’ Hack and the Need to Reframe U.S. Cybersecurity Information Sharing”
Today’s post is by Marine Lt. Col Kurt Sanger and, wow, it could not be more timely! The Washington Post just ran a story indicating the Biden administration is planning sanctions against Russia for its alleged involvement in several malign activities to include the massive cyber hack called (as Kurt puts, “perhaps unfairly,”) ‘SolarWinds.”
The ‘SolarWinds’ hack may be the largest and most serious in U.S. history . As explained here, Russian hackers reportedly penetrated U.S. government and private sector computer networks months ago. Unfortunately, until they were discovered in December, they collected inforrmation all that time…and possibly implanted dangerous malware. It really is hard to overstate the seriousness of this hack, and authorities aren’t even certain they know the full extent of it.
Lots of complex legal issues are raised by this event (see, e.g., here and here), but in this essay Kurt grapples practical steps that ought to be taken by the victims now. He makes a very convincing case that infornmation sharing between public and private actors must dramtically improve–much sooner rather than later—or we’re surely going to find ourselves victimized again.
Here’s Kurt’s must-read essay:
The ‘SolarWinds’ Hack and the Need to Reframe U.S. Cybersecurity Information Sharing
by Kurt Sanger, Lt. Col., USMC
To understand one of the significant failures that led to the hack popularly (and perhaps unfairly) referred to as ‘SolarWinds,’ imagine a world in which the Ford Motor Company faced an extended siege of its headquarters and factories soon after its 1903 incorporation, and that they were left to defend themselves. Ford builds protective trenches and trains its personnel to mount their defense.
Their leaders draw on experience from the battlefield, adapting their tactics through trial and error. Though their enemies do not surrender, Ford is able to continue auto making operations.
In this alternate world, come the eve of the United States’ entry into World War I, it is safe to say the U.S. Government would have approached Ford for the lessons it learned while fighting in the trenches. Knowing U.S. forces would soon face similar warfare, access to Ford’s experience would have been invaluable. This is where America finds itself in cyberspace.
The Common Front Line in Cyberspace
This cybersecurity failure is a reminder that private U.S. entities and government organizations stand on the same cyber front lines. They face the same adversaries who use the same platforms, the same capabilities, and exploit the same opportunities. Likewise, while all networks have unique attributes, most private and public entities employ common operating systems, applications and cybersecurity tools, creating similar vulnerabilities.
Affected organizations are learning lessons from their individual networks that likely would be of use to all network owners and operators. Although authorities, processes and technical mechanisms have been developed to facilitate the flow of cybersecurity and threat information, the hack exposes the persistence of information sharing gaps in private to private and private to public relationships.
Government and private industry cybersecurity professionals hold pieces to a larger puzzle that can be solved only with the whole field in view. At the moment, these professionals see only part of the field, and not enough pieces to appreciate the nature of the puzzle. The sooner the pieces are made known to other operators the faster one or more of them may be able to identify threats, warn others, and share protective measures.
Information Sharing Obstacles
Inadequate information sharing results from regulations and incentives that may be sensible in narrow contexts but are not aligned with broader cybersecurity. From the government perspective, some of the most valuable cybersecurity information is protected by classification measures. Classified intelligence can be modified for use at an unclassified level, but processing time and the limited information may make that information irrelevant by the time it reaches the private sector.
Though not classified, private organizations are equally concerned and dependent on protecting their information. Exposure of confidential business information, such as intellectual property and clients’ data, will affect businesses’ value and reputation with consumers. Further, there are laws that prohibit companies from sharing certain information about their customers with the government, and significant expense involved with identifying and redacting information if it will be shared. While these barriers protect legitimate interests, they must be weighed against their impact on cyber and national security.
Despite the barriers, there are information sharing efforts. Federal statutes, including 2015’s Cyber Information Sharing Act, initiated processes and technical mechanisms for private organizations to share information with the U.S. Government. Many private organizations, aligned by sector, participate in Information Sharing and Analysis Centers that focus on cyber and physical security. Private entities’ information sometimes flows through these Centers to the government.
Federal government agencies, to include the Departments of Defense and Homeland Security, are working initiatives known as “Pathfinders” to support critical private sectors’ cybersecurity. The Securities Exchange Commission requires publicly held companies to inform shareholders of cybersecurity incidents that meet certain criteria.
These efforts should continue, but the scope of this hack demonstrates the efforts are insufficient to secure U.S. cyberspace. Cybersecurity depends on additional and faster information sharing. Unfortunately, there are not enough carrots and sticks to drive adequate exchange.
The Shared Cyber Ecosystem
While the Ford Motor Company analogy comes from fiction, there is an analogy from the real world that is useful: the natural environment. The worst violators of environmental protections have received all the benefits of their bad practices while the costs are suffered by many.
Perhaps cyberspace should be thought of like the environment … any one company is unlikely to fail because of malicious cyber activities specifically focused on them, but the entirety of cyberspace may be undermined through significant events that reduce trust in one’s own network, trust between buyers and sellers, and the general faith that cyberspace is worth investing in because it is here to stay. Were this to occur, all of cyberspace would be diminished as a means of commerce and communication. This would affect virtually every individual, private organization and government in the United States and beyond.
When considering whether to share cyber threat and security information with the government, private organizations’ leaders should keep in mind the integrity not only of their own networks, but cyberspace as a global system. The vulnerability of one’s competitor could be one’s own tomorrow.
An adversary we fail to defeat now will victimize others later. Likewise, the U.S. Government must continuously seek to empower and encourage public and private organizations to share every useful resource to protect U.S. cyberspace, from information, tools and capabilities to expertise and personnel, regardless of who possesses those resources at the moment.
When it comes to U.S. cyberspace, all of us are in the same security force.
About the author
Kurt Sanger is a lieutenant colonel and attorney in the United States Marine Corps. He has advised senior decision makers on military cyberspace operations for the past seven years. LtCol Sanger is a 2015 graduate of the Georgetown University Law Center National Security Law program. These opinions are his own and do not necessarily reflect official positions of the Department of Defense or any other U.S. Government organization.
The views expressed by guest authors also do not necessarily reflect the views of the Center on Law, Ethics and National Security, or Duke University.
Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!