companies to destructive attacks that shutdown business operations to the interference in the foundation of our democracy: our elections. The challenges we face were highlighted just over a month ago, in December of 2020, when we learned that multiple customers of SolarWinds, a network management company, had been compromised by a sophisticated supply chain attack by a nation-state adversary believed to be affiliated with one of Russia’s intelligence services. The latest supply chain attack has drawn attention to serious gaps in the U.S. cybersecurity strategy. As a threshold matter, I believe that it is misleading to refer to this most recent breach as “the SolarWinds hack.” Although SolarWinds was a prominent attack vector that received early attention in the press, we now know that it was only one of many supply chain vectors that the adversary used to gain access to private networks. Because investigations into the scope of the attack are still ongoing, we cannot even say with confidence that SolarWinds was one of the largest or most significant vectors. Continuing to refer to the breach as “the SolarWinds attack” distracts from the reality that the breach went far, far beyond a single company. As a result, I, along with other security practitioners, have begun referring to this hack as the “Holiday Bear” operation. Additionally, as we have learned more about the breach over the past two months, I’ve come to believe that it is also misleading to refer to this incident as a singular attack, or even as a coordinated campaign with a defined end date. Simply put, the sort of sophisticated, long-term cyber-espionage enabled by supply chain vulnerabilities that came to light through this breach is not a discrete or self-contained occurrence; it is the new normal. It is clear to me that the Russians have learned from their past operations. Throughout 2014-2015, SVR, the Russian foreign intelligence agency believed to be responsible for this most recent activity, launched a broad campaign which gave them access to the networks of the White House, the Joint Chiefs of Staff and the State Department, among others. The success, however, was short-lived, as U.S. defenders quickly detected the noisy campaign and ejected the adversary within weeks. I believe that those original mistakes led the SVR to reevaluate how they conduct new cyber operations and focus on compromising software supply chains in order to gain access to target networks in a much stealthier fashion and to remain in them for weeks, if not years. In some ways, this tradecraft is the cyber equivalent of the Russian illegals program, long practiced in human espionage operations: an extremely patient and long-term effort to gain maximum access to high-value U.S. targets. Since the 1930s, Russia has been sending covert sleeper operatives into our countries under non-official cover to live and work amongst Americans and over years get close to powerful officials in order to steal our secrets. Unlike the Illegals program, however, supply-chain based cyber intrusions are much easier and cheaper to scale to hundreds of high profile victims, all without putting their human intelligence officers at risk. I believe that this is the Russians’ new way of doing business in cyber operations, and I suspect we will continue to see this new approach for years to come. We have also seen China’s 3
Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience Page 2 Page 4