In March of last year, thousands of companies and U.S. government agencies were sent a routine software update. This happened regularly with SolarWinds Orion software. There was no reason to suspect anything was wrong with the update.
What they couldn't see at the time was a malicious piece of code buried deep within the update, a Trojan horse planted by Russian cyber soldiers looking for a backdoor to important American computer networks.
Nine months after that compromised software update, cybersecurity firm FireEye sounded the alarm. They had been hacked. Their crown jewels, what the company calls "Red Team tools," had been stolen. FireEye suspected that anyone who had downloaded and installed the SolarWinds Orion update had been hacked too.
While the full extent of the SolarWinds exploit is still not known, the information gleaned so far is concerning. The U.S. Treasury Department, Department of Justice, State Department, Energy Department, and the agency that protects and transports the U.S. nuclear arsenal, didn't see the Russians rummaging through their computer networks for nine months. Businesses, including software titan Microsoft, have also found their systems compromised by the update. SolarWinds says its products are used by 300,000 customers around the globe, and that 18,000 customers downloaded its compromised software update. More companies are expected to learn they were victims of the hack.
"This was an act of cyber terrorism," said Jon Miller, CEO of Boldend, which designs and sells cyber weapons to U.S. intelligence agencies. "The goal behind this was fear."
60 Minutes spoke to three cybersecurity experts who say they believe the U.S. government's current strategy for cyber warfare is inadequate and does not effectively deter its adversaries in cyberspace. They warn that if the U.S. government doesn't change course, the hacks will keep coming.
CLEAR LINES AND EFFECTIVE CONSEQUENCES
Jon Miller, a former "ethical hacker," said the U.S. is allowing this malign activity to happen. "We're letting them do this," he said. "And there's no repercussions to them whatsoever."
Miller said indictments against international hackers often don't lead to arrests. "The government will track down the individuals that were responsible in this breach. They won't get arrested though," he explained. "It just means that they can never travel to the U.S. And they get to continue hacking us day, after day, after day with no consequence in sight."
He suggested that the U.S. needs to define clear red lines for our adversaries and a commitment to attack if they are crossed. "We haven't drawn a line and said, 'This is enough. You have to stop attacking us, or we are willing to escalate it,'" he said. "We're not willing to attack. And that's what we're missing now. There's no capability that the United States has that scares them enough to not attack us."
A COLLABORATION OF DEFENDERS
Chris Inglis, a former deputy director of the NSA, said the separation between government and private enterprise, while bound by law and in line with American values, makes coordination on cyber defense difficult. Without a united line of defense, that separation can be exploited by an aggressor.
"It turns out that a division of effort is actually an agreement to not collaborate," he said. "One party's attempting to defend their patch and another party's defending their patch. Both sides are ignorant. And the aggressor can pick you off one at a time."
Inglis now works on the Cyberspace Solarium Commission, created by Congress to advise the legislative branch on cyber defense matters. He suggested greater collaboration between government and private business to identify and address cyber threats. "Unless there's some collaboration of the defenders," he explained, "No one person is going to have the god's eye view of what's happening in that network."
A CALL TO FIGHT BACK
James Lewis, a director at the Center for Strategic and International Studies, said fear of escalation has held the U.S. back from punishing Russia, and other nation states, when they step out of line. "Escalation's a reasonable concern. But it shouldn't be enough to say, 'Oh, we shouldn't do anything because the Russians might be mad,'" he said. "The goal is to make them mad. The goal is to make them afraid. How do you punish the Russians without triggering a major conflict?"
He suggested the U.S. experiment with tactics to find creative ways of inflicting revenge on Russia. "Could you interfere with their media? Could you start putting stories in the Russian media?" he offered. "The one that bothers them the most is corruption because it creates the popular discontent in their own populations that they don't want."
He said interfering with money allegedly stashed away in other financial systems by powerful Russians in government and business could be another deterrent. "We could interfere a little bit with their financial activities," the Center for Strategic and International Studies' Lewis suggested. "They have money squirreled all around the world."
James Lewis retains hope that the Biden administration will be more willing to explore an offensive strategy with the Russians, and other nations like China, who attack the U.S. in cyberspace. "[Biden] could rethink how we use the exquisite capabilities that NSA and Cyber Command have to inflict pain on Russia and the others," he said. "It's risky. But if we don't take risk, we're not gonna be able to work our way out of this."
The video above was produced by Will Croxton and Mabel Kabani. It was edited by Will Croxton