Cyber wars as a field of combat transformed in the last two weeks with both Israel and the US hit like a ton of bricks.
Some of the most sensitive personnel and operations in both countries may have been exposed, and in the US, it may have been going on since March.
All of this leaves two of the world’s top cyber powerhouses with a string of question marks about if it is even possible to defend their countries’ digital space and if there is any counter strike which can be used to deter similar future potential mega cyberattacks.
In Israel, the first big news was the attack on insurance giant Shirbit. This led the Israel National Cyber Directorate (INCD) to direct large volumes of the country’s citizens to change their identity cards and driver’s licenses to avoid identity theft.
Significantly, Shirbit serviced many Israelis in the defense sector, leaving some of those sensitive personnel potentially compromised.
The other major Israel cyber event came when cyber security firm Check Point issued data showing that Shirbit is only the largest and worst case in a spike of cyberattacks on Israeli companies in recent months.
One hundred and 41 companies were attacked with ransomware attacks in November alone and 137 were attacked in October.
Although ransomware attacks sound like criminal cyber activity, Check Point said that all signs were that an enemy nation state with anti-Israel goals was pulling the strings.
Both in terms of capabilities and motivation, Iran would be near the top of the list as sponsoring the hackers. As shocking as the scope of these cyberattacks on Israel are, they likely pale in comparison to the cyber sledgehammer that has hit the US.
It started with an announcement by Fireye, a top cyber security firm that usually blocks and diagnoses attacks by Russia, Iran and other cyber powerhouses, that it had suffered an unprecedented hack. Often Fireye is helping the FBI catch-up on some kind of major hack in the US, such as against Sony, Equifax or the US State Department. This time, the top cyber defender is among the key victims.
Fireye’s “red team” tools, used to help large US companies and government agencies by probe-hacking them to locate and patch their vulnerabilities, were stolen. That means the hacker, the overwhelming presumption is Russia, can now use Fireye’s tools to hack at will. It can even cover its tracks by making it look like it was Fireye and can better anticipate what tools Fireye and the FBI might use to try to track hackers in the aftermath.
At this point, the diagnosis is that the hacker was primarily stealing tools for hacking US government agencies. That hack in and of itself could have led to months if not years of fallout in cyberspace. But within days, it turned out that Fireye was only hacked because its trusted third-party software supplier, SolarWinds, had been hacked dating back to sometime in March. SolarWinds also supplies software to a myriad of US government agencies and top companies.
IT TURNS out that updates SolarWinds sent in March and June were infused with malware and that the US Department of Homeland Security (DHS), the Pentagon, the Treasury Department, the Commerce Department, the US Postal Service and the National Institutes of Health have all likely been compromised. Incidentally, the government’s primary agency for protecting the civilian cyber sector resides within the DHS.
No one knows how many emails about the US’s cyber security plans or how many codes, passwords and vulnerabilities, the likely Russian hackers picked up. But cyber experts are framing the hack as one of the most sophisticated of all time.
On December 13, the DHS’s cyber agency took the extraordinary measure of issuing an emergency directive to all federal agencies to immediately disconnect the affected SolarWinds’ products from their networks. According to SolarWinds, “only” around 18,000 of its over 300,000 customers have been infected by the update. That staggering number means that top Israeli cyber officials estimate that the volume of infected networks will not get anywhere near the autonomous virus WannaCry, which spread throughout the globe in 2017.
But these same experts also say that the time, investment and sophistication in these attacks was far behind anything they had seen before. According to US experts, the hackers entered the network back in March and then sat dormant for weeks to make sure that they would not be tracked. They then took their time to spread and explore infected networks piece by piece, moving slowly so that no sudden spike in unauthorized activity could be traced. When the hackers infected updates to be sent out to SolarWinds customers, they took the time and had the skill to forge the company’s actual digital keys so that malware detection programs would have no chance at catching them. A hack of the NSA’s cyber tools in 2016 is being tossed around as comparable, with that costing an estimated $10 billion once Russia and North Korea turned the NSA’s tools on the West.
Bizarrely, the White House has been silent, though Trump’s national security adviser Robert O’Brien cut short a European trip on Tuesday and rushed back to Washington to deal with the attack. In any event, US Sen. Mark Warner (D-VA), vice chairman of the Senate Intelligence Committee responded to the hack, saying companies’ cyber security has improved, “but this case also shows the difficulty of stopping determined nation-state hackers.”
He added, “As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely.”
CYBER EXPERTS have said that the government alone cannot keep up with all of the constantly developing and evolving software applications. This is why public-private sector technological cooperation and dependence have grown recently to unprecedented levels.
But what should the US and Israeli governments do when being dependent on even the best of the private sector in the cyber sphere means being vulnerable to a range of other threat vectors?
Part of the lesson of this attack is that still no one is taking “supply-chain” style vulnerabilities seriously enough. Supply-chain attacks refers to a phenomenon where a private company or government agency may have done everything right with the billions it spent on its own state-of-the-art cybersecurity. Yet, it gets taken down by one of many third-party providers who assist with one small piece of their business. The hack also shows the relentless nature of cyber wars.
In many ways, the US has been patting itself on the back that it blocked Russia from intervening in either the 2018 US midterm or 2020 US presidential elections the same way Moscow injected itself into the 2016 US presidential elections. Part of the success was that the US military cyber command initiated an extensive preemptive attack on Russia’s Internet Research Agency and associates leading up to both elections.
Yet, it seems that one lesson of these latest hacks is that hackers can be like the ancient demon hydra – you lop off one head, and multiple other heads sprout.
Further, in July, US Cyber Command chief Gen. Paul Nakasone said that American cyber efforts are underfunded if there is a desire to take a more offensive posture. His predecessor, Keith Alexander, has concurred.
RETURNING TO the original question of whether the US and Israel can defend their cyberspace and deter future attacks – it seems there are two answers. If the question is about mitigating the damage of attacks and limiting all but the most sophisticated and disciplined planners, then there is hope. This would be especially true if both the US and Israel were willing to escalate counterattacks on the attackers to a point where the cost would go beyond what they gain from cyberattacks.
In May, Israel reportedly used cyber capabilities to shut down one of Iran’s largest ports for days to send a message after the Islamic Republic allegedly tried to hack Israel’s water sector in April. On December 10, without referring to a specific event, IDF Chief of Staff Lt.-Gen. Aviv Kochavi made a rare public acknowledgment that Israel has increased its offensive cyber operations in 2020.
But these days, one US or Israeli series of offensive cyberattacks may not be enough to deter a patient and disciplined aggressor.
Rather, a much more massive or repeated demonstration of superior US and Israeli cyber superiority might be needed. But this risks escalation to a point where the richer and more technologically dependent US and Israel might have more to lose.
So if the question is can any country completely hermetically seal itself from top-tier cyber intrusions, the answer is unequivocally no. After that, the real question is, given that cyber aggressors are far bolder and pose a far greater danger to the US and Israel than before, can Washington and Jerusalem escalate just enough to stare down their adversaries without crossing a line into chaos?
Whether cyber and political leaders can strike that balance will be one of the key dynamics which could decide the fate of our era.