Earlier this month, the huge Solar Winds hack became public knowledge. Reportedly, the victims had been accessed over a period of months starting in March 2020 by a “sophisticated threat actor” that’s widely believed to be the same Russian state entity (code-named Cozy Bear) responsible for the hack of the Democratic Party National Committee in 2016.
Solar Winds is the name of a Texas based company specialising in remote network management. Its list of clients includes the US Justice Department, Commerce Department, the US Treasury, the Pentagon, all branches of the US military, major US universities, Yahoo, Microsoft, the Gates Foundation, the world’s four main accountancy firms, and 425 major US corporates on the Fortune 500. However, not all of those clients have been hacked. Or so it seems, at this point.
On its webpage, Solar Winds claims that “only” 18,000 of its clients worldwide may have been vulnerable. Apparently, this is because the hackers gained their back door access by exploiting a vulnerability in a network monitoring software product called Orion Platform. Understandably, the Solar Winds outpost in New Zealand has been keen to reassure users of its other products that the risk is limited to Orion Platform users.
In mid December the government agency CERT NZ (for Computer Emergency Response Team) issued a useful advisory ( since updated) on the Solar Winds hack. According to CERT:
You are affected by this vulnerability if you are using SolarWinds Orion products listed above, running versions:
• 2019.4 HF 5
• 2020.2 – 2020.2 HF 1
CERT NZ then lists 15 related Orion products, and advises firms using them to rebuild their systems using the patches now available, changing passwords on all accounts accessible to Orion services, and analysing the network configurations of all network devices managed by the Orion platform, with a view to altering them. Fine. Good advice. But how extensive are the problems in New Zealand arising from the Solar Winds hack? Not only is no-one saying, but it seems that no-one who knows would actually be allowed to inform the public.
It is a terrific way of saving face. If things go wrong, you can claim it would be a national security risk to reveal how extensive the problem is, let alone how come no-one noticed it before it became too late. In August you may recall, the NZ Stock Exchange and a number of major NZ corporates and agencies were hacked by an undisclosed entity or entities. But beyond that, the GCSB isn’t telling because…that allegedly, would be commercially sensitive information:
The GCSB cited national security reasons for withholding most information about August cyberattacks that crippled New Zealand’s stock exchange, MetService, Westpac Bank, and local media outlets Stuff and Radio NZ were also targeted in the wave of attacks. The bureau’s director general Andrew Hampton said releasing information could jeopardise commercial positions of entities that supplied information about the attacks.
Right. But… anyone doing “economic harm” to New Zealand’s interests (via a hack of other means) would be committing an offence under our security laws. Apparently, the “commercial positions” of firms that may have been compromised by an online breach outweighs the public interest in knowing whether ( and to what extent) the nation’s economic interests have been jeopardised. And by whom. Even though it will be the public who will be expected to pay for much of the counter-measures to prevent it ever happening again. Nothing to see here, because no-one is allowed to see here.
Been Here Before
Moreover…only a couple of weeks ago, the security services were slammed by the Royal Commission into the Christchurch mosque shootings for facing in the wrong direction for security threats. (The SIS had systematically poured its counter-terrorism resources into an imaginary domestic threat posed by radical Islam, and had put too little effort into monitoring the actual threat posed by white nationalism.)
Well, the Solar Winds hack would suggest that once again, the security agencies were looking in the wrong direction. For example : much time and energy has been lavished on the imagined threat from suspected malware and security flaws in the technology supplied by the Chinese firm, Huawei. In the process, the security agencies were not looking in the direction where the real cyber threats were coming – namely, from malware inserted by Russian hackers exploiting the security flaws in technology supplied by a US firm, Solar Winds.
On this point, it is worth noting that the Royal Commission was not impressed by the level of online competence possessed by our security agencies. Presumably, the ability to detect and respond to cyber security threats will be a dimension of the reform ( and the integration) of our security services recommended by the Royal Commission. Clearly, the problem isn’t simply one of local extremists accessing bad stuff on Youtube. The preventive measures that will be needed to detect and to counter hackers – local or foreign – pose a different level of threat, and this will now be competing for SIS/GCSB funds and human resources.
Unfortunately, New Zealand’s private sector have a pretty dismal track record (by OECD standards) of relying on the state to fund and carry out research and development work on their behalf. Arguably, NZ firms should be paying for a lot more of this r&d work themselves, and without the need for the massive tax sweeteners they get for taking the trouble to invest in their own future needs. (BTW, many of the same captains of industry decry the immediate gratification tendencies of people on benefits.)
In similar fashion, we need to ensure that the taxpayer isn’t landed with the bill (via increased funding for the SIS and GCSB) for equipping the private sector with effective cyber-security defences. ‘User pays’ should be the starting point.
Footnote One: Vox News has a good overview piece on the Solar Winds hack. As Vox reports, US President Donald Trump has been more active in shielding Russia from criticism, than he has been in defending US interests:
Sen. Mitt Romney (R-UT) came forward on Thursday to compare the attack to “Russian bombers … repeatedly flying undetected over our entire country.” He criticized America’s “glaringly inadequate” cybersecurity defenses, as well as the President’s “inexcusable silence and inaction” in response to it.
Footnote Two: Interestingly, the Solar Winds hack was discovered by a private firm, and not by any government security agency in the US, or elsewhere. Reportedly, it was the security firm FireEye (not to be confused with the Five Eyes security network) that first detected the flaw in the Orion platform and then the hack, and their latest update is available here.
Footnote Three: The FireEye achievement highlights the glaring gap between Silicon Valley innovation on one hand, and the US federal ineptitude on cybersecurity issues. This has been the result of decades of inadequate funding of cybersecurity by successive US administrations. The inadequacy of State Department cyber systems was a prime reason why then-Secretary Hillary Clinton was using her private email to do official business.
During the run-up the US 2016 election, the faux issue of Clinton’s emails – thanks to the combination of a credulous media and FBI director James Comey – probably cost Clinton the election. Several leading members of the Trump administration then proceeded to do their own official business via private email accounts. Well, the Solar Winds hack suggests that this could have been a more secure way of doing business.
Fishing has become the last major sticking point in the Brexit saga, and there has been a lot of UK flag waving about re-nationalising the fishing industry. On that subject, Ewan MacColl long ago wrote a song called “ Shoals of Herring” about the the harsh working conditions rife in the British fishing fleet, and the lure of the catch, regardless
MacColl wasn’t exactly a likeable bloke. In the mid 1960s, he was one of the most virulent critics of Bob Dylan for “going electric” and- according to MacColl – thereby “ selling out.” Back in the mid 1960s that was fighting talk. Yet MacColl himself actually wrote “Shoals of Herring” for a TV show, which for him, was quite OK. Good song, though.
Talking of Bob Dylan, he recently sold the rights for all 600 of his songs to Universal, for $30 million. Too bad he didn’t let his fans bid for the individual songs, for themselves and/or as a legacy gift to their kids. Dylan fans can only speculate which of the songs they’d have picked to buy, and how much they’d have been willing to pay for the privilege. That’s a fresh way of naming your favourite Dylan song/performance.
On most days, this would probably be my candidate. Among other things, “ I’ll Keep It With Mine” is a compassionate expression of tolerance and empathy. In that respect, it serves to rebut the sentiments more commonly encountered in “ It Ain’t Me Babe” and other Dylan songs of recrimination. Plus, this January 1965 version is a great piece of singing.