Marriott, Equifax, the Office of Personnel Management and the recent U.S. federal agencies — the big cyberattacks keep coming. They can start to seem like routine annoyances, like fender benders on the freeway. But anyone tempted to dismiss the recent SolarWinds and FireEye breaches as routine should think again.
This is no fender bender. It is a 75-car, road-closing pileup, and we know where the fault lies. The truth is, at the federal level, we're still dragging our feet on cybersecurity. Even though cybercrime now has a permanent roost atop the US intelligence community's annual Worldwide Threat Assessment report, there's a profound difference between identifying a problem and addressing it with Manhattan Project urgency. We have to shake off the complacency because we might not get a second chance.
Why is the SolarWinds-FireEye crisis so troubling?
When you think of cyberattacks, imagine a hierarchy of chaos. On the lower levels, that includes stolen credit card or health data. These are inconvenient but not crippling. Higher on the hierarchy are attacks on a single company or agency. They steal intellectual property, from auto blueprints to vaccine recipes or hold their systems ransom until payment is made. These are costly and temporarily crippling.
But this? This is peak chaos. This was a global supply-chain attack in terms of damage done with no precedent. It hit dozens of organizations from the United States Treasury to Intel and Cisco. We have not yet gauged the full impact. It may take years to sum up the costs.
"In effect, this is not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure in order to advance one nation's intelligence agency," said Microsoft President Brad Smith in a blog post earlier this month.
The hardest part to swallow may be this: The attackers' weapons of choice were not terribly novel.
You may have read accounts in which observers were shocked — shocked! — that, before hitching a ride aboard a software upgrade downloaded by thousands of customers, the malware nestled within SolarWinds systems for months undetected. That's actually not shocking. It's an old, familiar strategy. The enemy here worked from a venerable cyberwar playbook, yet defenses still splintered like wicker railroad bridges.
The truth is, although most cybersecurity vendors sell prevention, and big cybersecurity players keep assuring Washington prevention is the go-to strategy, breaches are guaranteed. Period. The real tonic is rapid threat detection and remediation. Without it, adversaries that evade prevention products find themselves roaming target networks at will, sometimes for month. In this crisis, it was nine months.
What's truly shocking is how potent and ruinous this well-known infiltrate-and-hide strategy proved to be at scale. Equally shocking: While the nature of this attack is crystal clear, its intent remains a mystery. Massive as it was, smart money says it was only a test or a warning shot. I think it's a mere indication of the havoc to come. And I suspect the malefactors behind this attack, state chaos agents or their proxies, are astonished at their success. They must be thinking: What are our next targets? A lot of wise analysis points to Russia, but other nation states are eyeing American assets and infrastructure as well. They too must now wonder what they might get away with.
The near-term solution lies closer to home. In light of this cyberattack, what I ask of President-elect Joe Biden and his security team is politically difficult, but absolutely critical. I ask for that rarest of political phenomena: bold action without a political mandate.
We know how most voters flick away news of cybersecurity lapses; we know how many other problems will preoccupy the Biden administration. The climate change issue reminds us how hard it is to ignite public support for preventing a disaster that hasn't yet happened. Nonetheless, only the federal government can put more pervasive, intelligent, multilateral cyber defense atop the action docket. Civilian leaders in Washington may not always understand cybersecurity, but that is where I and my allies in the technology industry can help. Inattention and dismissal have cost us dearly. Give us a chance to help with effective defenses while we still have time.
When a dangerous driver cuts you off on the freeway, you swerve, collect yourself, and drive on. But if six albeit well-concealed snipers open fire on the whole freeway, that's different – an order of magnitude different. That's our situation as 2021 begins. The scale of the threat has mushroomed; our enemies' ultimate mission is unclear. Under the next president, the United States' cybersecurity posture has to go beyond adding up the costs of the breakage. Next time they might be incalculable.
The author is President and CEO of Vectra AI, a threat detection and response company, based in San Jose, California.