No one spotted it until it had been in the wild for several months.
Whew, lucky that isn’t my position. It’d put me out of a job if it was.
My actual position: The only way to have avoided this would be to have better security practices at Solarwinds controlling their update servers, or for their product not to have been so popular at large organizations.
If you’ve got a way that Trump could have fixed that, then you’ve got an argument with me. If not, please stop coming up with alternate positions you’d rather argue with and attributing them to me. I mean, hell, is Trump responsible for all the times a piece of commercial software is exploited while he’s in office? Because that’s what happened here. That’s a pretty damn ridiculous position, and I don’t see how your position differs from that.
We can read what you wrote, and you’ve written it again:
Your stated position is that there was no conceivable way for anyone in government service to have fixed or improved this situation over the past few years, whatever resources were dedicated to it?
Your position and the burden of proof that you seek to place on me make absolutely no sense. You are claiming that the well documented fact that Trump was removing resources and smart people from cybersecurity is irrelevant.
I’m certainly of the position that those budget cuts had nothing to do with fixing Solarwinds’ practices. You’ve provided no mechanism how they might have.
That’s still not preventing or avoiding this hack, it’s just reacting sooner.
I’ve cited clear evidence that Trump has systematically been taking financial resources and smart people away from cybersecurity for years. I don’t think you’re disputing that.
What more do you think I have any burden to prove here? I’m not a technical expert in cybersecurity, in that I bow to your superior knowledge. But the burden is on you to support your preposterously implausible hypothesis that however many smart people and whatever resources might have been dedicated to this over the last several years, nothing could possibly have stopped or ameliorated this hack. So it was perfectly fine that Trump took money and people away from cybersecurity to build a wall instead.
And further, to explain why you claim that I’m parodying your opinion when I point out that a natural consequence of your view is that there’s no point funding cybersecurity in the future either. If you think it could not possibly have achieved anything in the past, why do you think it could achieve anything in the future?
Nope, the burden is on you to prove that those budget changes would have prevented the hack. I’ve never said no amount of resources would have fixed it, but unless those resources were applied to fixing Solarwinds’ practices or replacing its use, this was almost inevitable.
I’ve never said anything of the sort. The moving of this money was stupid in the extreme, but it would not have prevented this.
But we’re talking about a matter of degree, and we’re also talking about the timing. It’s arguably a more provocative type of hacking than the garden variety intrusions that governments of all stripe engage in. But even if we disagree on this point, what’s less debatable is that the response from Trump was predictable, and it a) encouraged the hacking before it happened; and b) will likely encourage more hacking in the future until a US administration establishes its own rules of engagement.
The US needs to show that it is capable of retaliating in kind. Right now, it’s not showing that at all. It’s showing the opposite, and what’s also not clear is…who is defending US interests from within the Trump administration. Mike Pompeo has come closest to saying that this is an act of hostility, but that’s it.
I think it is very likely that there is some degree of coordination within the Kremlin and within the White House. The behavior of the administration is just too damn bizzaro to believe otherwise.
We did in fact find out about this hack, right? So finding out about it is something that’s possible. And I think it’s safe to say that we found out about it as a result of someone doing something. And whoever that someone was, and whatever it was that they did, it would have been at least theoretically possible for someone to have done it sooner. And Trump gutted the someones who were supposed to be trying to do just that.
But to get more specific than that: The government was using SolarWinds for secure purposes. When the government uses a piece of software for secure purposes, they should first be checking to see if the software is secure. They shouldn’t just take the company’s word on it. And that independent security checking is one of the things that’s supposed to be done by the agencies Trump gutted.
Could they have missed spotting this even if they’d been adequately funded and otherwise supported? Sure, maybe. Or maybe not. We don’t know, because we live in the world where they weren’t adequately supported.
Yes, I would agree this is a very severe hack. However, it was going to happen no matter who the president was once Solarwinds’ update server was compromised. Trump’s idiocy doesn’t enter into when this was executed. They got the opportunity, and worked as hard as was prudent until the hack got shut down.
Rules of engagement? This is the internet, baby. You can moan and cry, or you can issue sanctions, but I don’t think that any rules of engagement are going to save you. In the case of Solarwinds, it appears that there were indications of lax security there before this happened, and industry/institutional inertia may have contributed to their not being discarded. If you started instituting audits of the security practices of the companies as suggested by Chronos in the post following yours, you might be able to successfully combat some and possibly most of these kind of supply chain attacks. But that’s not done in most software employed by the government these days, and it would have a side effect of slowing the technologies available to the government, and increase its cost (which would have its own security costs and time based vulnerabilities).
Ehh, I think we’ve already shown we can stockpile zero day hacks. I don’t think the results have been positive, so far. If we were to devote resources to anything besides the massive cleanup that’s needed now, I’d say it should be to finding and notifying software producers of their holes in both their product and production.
Yeah, you make it sound simple. As far as I know we fond out about this hack by FireEye having its red team tools stolen. They found out about the Solarwinds hack because they wanted to know how those tools ended up in the wild, and worked backward from there. They didn’t notice the malicious actors before their tools were stolen. If an actual security firm isn’t going to notice it except in retrospect, I can’t see how their customers are going to be able to fix the same problem by throwing cash at it.
No point in trying, even. Might as well just defund cybersecurity completely and hand everything over to the Russians. Building a wall is the best security.
First you say that defunding cybersecurity couldn’t possibly have had any effect.
Then you say that if more money is spent, it could in fact combat attacks like this.
Then you yourself suggest the mechanism how they might have:
So you say that “instituting audits of the security practices of the companies” would work, and that resources devoted to “finding and notifying software producers of their holes” is a good idea.
But funding those audits and resources is apparently not a good idea, and couldn’t have made any difference?
There’s an interesting philosophical discussion about what is and isn’t “science”. For example, one idea was that science consists of falsifiable assertions, where “falsifiable” is a subset of “testable”.
“Couldn’t have made a difference” is an example of an assertion that can’t be tested, and is not falsifiable. It’s just a polemic.
We’re not discussing the philosophy of science, but politics and current events.
Trump deliberately defunded cybersecurity in the face of several years of increasing Russian cyber attacks. That was obviously a bad decision in itself.
When that was followed by a massive and successful Russian cyber attack, we certainly have a right to wonder if that attack could have been mitigated by not defunding cybersecurity.
Look, I absolutely agree that hacking is hacking, and spying is spying. It’s like cheating in football. Every team’s gonna try to gain an edge, but there’s a difference between getting an edge and stealing a team’s playbook.
Moreover, if we don’t respond and if nothing else hold another state sponsor of intrusions responsible, the message that is sent may well be the opposite of the policy, and that is dangerous for all parties involved. If state A communicates to state B that there’s no formal response for a level 1 or 2 provocation, then state B will assume that it’s okay to escalate to level 3 or 4 provocation, when in fact, state A marks the threshold for a massive response at level 2. The problem is that, right now, there are not clear rules of engagement. “It’s the internet baby” is not the answer we’re looking for. It’s extremely dangerous not to have clear rules of engagement.
This is your misinterpretation of what I’ve said. I’ve consistently said that unless this budget was being applied to Solarwinds’ activities, it wasn’t gong to prevent this hack. This is true, if you’d tripled our cybersecurity budget, it was unlikely to fix the practices at a private company that isn’t under that budget. Fact is, the government doesn’t audit most of the private companies it buys software from, and I don’t know of any part of that budget that would have been applied to doing so.
For the third time: THAT BUDGET COULD BE USED FOR THE CLEANUP, BUT IT WOULD NOT HAVE PREVENTED THE HACK EVEN IF IT HAD NOT BEEN DIVERTED. It shouldn’t have been diverted, but that’s for a million other very good reasons not related to this hack.
Quite honestly, if you try to pin this hack on Trump, you’re only showing your own ignorance of how the situation worked out. I’ve tried to make this clear. This apparently makes you sad enough that you’re willing to try to paint anyone who disagrees with on it you as Trump supporter, and I’ve been accused of supporting the wall without any supporting evidence in this thread twice for my trouble.
So, if you could try to understand what I’m saying instead of trying to run the whole thing as some sort of partisan gotchya, I’d appreciate it. If the fucker shows up in the crosswalk, I’m not hitting the brakes, and defending him doesn’t make me happy – but it’s true this was going to happen no matter who led the country.
Both government and the private sector have been calling for a close partnership for years, but nothing was done about it, because there was no funding for it.
Note the dates on these articles:
2016:
The public-private cybersecurity partnership between private companies and U.S. Cyber Command and other federal agencies has been uneven so far despite some fledgling success, but collaboration is critical given growing threats to everyone from cyberspace, the commander of U.S. Cyber Command said here yesterday.
2017:
Among the areas of opportunity he recommended to enhance greater partnership and collaboration are:
HHS appointment of a Healthcare Sector Cybersecurity Liaison to the private sector.
2016:
As a result, the electricity sector is demanding more access from regulators and federal partners to actionable intelligence and threat streams. With this added intelligence, utilities can better pinpoint threats to specific systems and focus efforts on system recovery and restoration.
2017:
that same type of coordinated response across the public and private sectors is exactly what “we need to defend our country against major cyber-attacks.” But former Secretary Pritzker also recognized that achieving this unified partnership between government and business may require “fundamentally changing” the way businesses work with federal agencies to counter cyber threats.
Again nothing was done about this, because there was no funding for it.
I wonder if the roll-out of the Cybersecurity Maturity Model Certification (CMMC) would’ve helped with this sort of problem? DoD will be the first to roll out CMMC but I’m guessing it will spread to other agencies. And if you were curious, SolarWInds can help you prepare for CMMC:
