On Sunday night, as news broke of one of the broadest state-sponsored cyberattacks in recent memory, former civilian cybersecurity chief Christopher Krebs was stuck tweeting. A state-sponsored attacker linked to Russia had compromised senior-level cabinet agencies, implicating huge portions of the government and private sector. Fired in November from his role leading the Cyber and Infrastructure Security Agency (CISA) after a political spat with President Trump, Krebs had to watch it all take place from the outside.
“I have the utmost confidence in the CISA team and other Federal partners,” Krebs said. “I’m sorry I’m not there with them, but they know how to do this.”
While it’s hard to say if he would have handled the hack differently, Krebs’ position on the sidelines underscores just how ill-prepared the United States is for a compromise of this scale. For the past four years, Trump has treated the federal cybersecurity effort as one more partisan battleground, with attacks and vulnerabilities embraced or rejected largely on the basis of their value as a political cudgel. Faced with a government-spanning compromise that will require deep analysis and careful cooperation, there’s little trust left to draw on, which could make a bad problem even worse.
To understand the challenge facing CISA and the rest of the government, it helps to understand the frustrating structure of this latest hack. The early headlines focussed on agencies like the departments of treasury and commerce, but the hack is much broader than that, and we still don’t know precisely which systems may have been compromised and what data may have been taken. Digging out every possible compromise will take discretion and trust — the kind of qualities Krebs had been building up in his role and lost when he was abruptly shown the door.
The heart of the hack is a network management tool from a company called SolarWinds. State-sponsored attackers compromised that tool, enabling them to deploy malicious code to anyone using the system, disguised as a software update. Experts are still piecing through the details (there’s a detailed technical writeup from Microsoft researchers here and a more accessible explanation from the journalist Kim Zetter here), but the gist is that anyone who used the product was potentially exposed. In a financial filing earlier today, SolarWinds estimated that roughly 33,000 clients were vulnerable to the malicious updates, with “fewer than 18,000” actually infected. (It’s also been linked to last week’s compromise at the cybersecurity firm FireEye.) It’s a huge hack, spanning vast and sensitive portions of both the federal government and the private sector — and we’re still in the process of figuring out what’s affected.
As you might expect, CISA (Krebs’ former agency) has been at the heart of the government response. In an emergency alert sent late on Sunday night, the agency called on every federal agency to assess their exposure, with reports due at noon on Monday. There’s a natural inclination to hide the damage (no one likes seeing headlines about how they might have been hacked), but an effective response depends on agencies being brutally honest. It’s the only way to understand the scale of the mess and start to clean it up.
Tackling that mess will take a lot of work and trust. Cybersecurity is a difficult job under the best of circumstances, and while the National Security Agency keeps military secrets locked down, civilian agencies (like treasury and commerce) are often left with few resources to fend for themselves. The result has been an embarrassing string of hacks, from the China-linked compromise of the Office of Personnel Management in 2015 (which, among other things, leaked the fingerprints of every federal employee) to a string of hacks at the State Department. Federal agencies have a terrible record of protecting data over the past five years.
Given a renewed mandate in 2018 to address the disastrous security at US civilian agencies, CISA hasn’t had much time to work — but under Krebs, the agency was gaining trust. The director had bipartisan support and was seen by the cybersecurity community as an impartial arbiter, someone who would be honest about the facts on the ground even if it was politically inconvenient. Then, a few weeks ago, he was fired for displaying exactly these qualities. As Trump raised groundless claims of election fraud to distract from his loss at the polls, Krebs issued a clear statement on the issue, saying he had seen no evidence of vote tallies being changed in the election. In a matter of days, he was out of a job.
We shouldn’t overstate Krebs’ work in preventing the hack itself. The SolarWinds compromise dates back to March, so it happened on his watch. There’s no indication that the past few months of compromise would be any less ugly if Krebs were still in the director’s chair. But the incident response would be less ugly. Acting director Brandon Wales hasn’t been confirmed and has held his position for less than a month. In the midst of an unusually chaotic transition, he’s asking agency infosec leads to trust him through one of the most sensitive events of their working lives. It’s a difficult position under the best of circumstances, and it would be much, much easier with a trusted hand in charge.
It’s all the worse because Krebs’ firing is just the latest in a long chain of similar incidents. President Trump took office actively denying the role of Russian active measures in the 2016 election, despite an unusually definitive attribution by US intelligence agencies. In the years since, he’s taken any suggestion of Russian influence as a personal incident and made denying it a kind of loyalty test.
Put simply, this is no way to run the world’s most powerful intelligence apparatus. I am not naive enough to call for a return to bipartisan comity, but we should be able to agree on basic facts like threats, vulnerabilities, and attackers. But the hazy nature of attribution has turned cybersecurity into a partisan battleground and ensured that nothing gets done on either side. Over the past four years, far too many Republicans have responded to persistent Russian attacks by insisting that there is no war in Ba Sing Se.
We may hope that when Trump leaves office in January, however begrudgingly, this pattern will start to change. President-elect Biden has made promising moves in his federal cybersecurity staffing, and at the very least, we can expect a return to the mild competence of the Obama era. But the past four years have taught us that institutions only improve through active effort, and the government only works when we insist on it working. In the wake of one of the most devastating compromises in federal history, it’s time to insist.