Recent cyber attacks by the Russian and Chinese governments involving SolarWinds and Microsoft exposed cyber-related vulnerabilities in the supply chains of many large and small companies that rely on SolarWinds and Microsoft for their internal security and IT services, which also experienced security breaches as a result of these attacks. Two former DOJ National Security officials from the Obama and Trump administrations will discuss the impact of these attacks, possible criminal and non-criminal responses, and pros and cons of each approach.
Kellen Dwyer, Adjunct Professor of Law, Antonin Scalia Law School, Former Deputy Assistant Attorney General, National Security Division
Alex Iftimie, Partner and Co-Chair, Global Risk & Crisis Management Practice, Morrison & Foerster LLP, former Deputy Chief of Staff and Counsel to the Assistant Attorney General, National Security Division
Moderator: Brian Lichter, Senior Director - Legal, Global Investigations & Cybersecurity Counsel, Cognizant Technology Solutions
Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up on our website. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.
Dean Reuter: Welcome to Teleforum, a podcast of The Federalist Society's practice groups. I’m Dean Reuter, Vice President, General Counsel, and Director of Practice Groups at The Federalist Society. For exclusive access to live recordings of practice group teleforum calls, become a Federalist Society member today at fedsoc.org.
Evelyn Hildebrand: Welcome to The Federalist Society’s teleforum conference call. This afternoon, April 6, we discuss “Nation-State Cybercrime: Perspectives on the Problem and Response with Two Former DOJ National Security Officials.” My name is Evelyn Hildebrand, and I’m an Associate Director of Practice Groups at The Federalist Society.
As always, please note that all expressions of opinion are those of the experts on today’s call.
Today, we are fortunate to have with us a distinguished panel, Mr. Kellen Dwyer, Mr. Alex Iftemie, and Mr. Brian Lichter. I will now introduce our moderator, Mr. Brian Lichter, and he will introduce our speakers.
Brian is a member of the Executive Committee of the Criminal Law and Procedure Practice Group and currently serves as a senior director in the legal department at Cognizant Technology Solutions, a Fortune 200 technology services company where he manages sensitive internal and government investigations and serves as the company cybersecurity council. Prior to joining Cognizant, he was an attorney with Latham & Watkins and trial attorney with the Justice Department’s Public Integrity Section. He began his legal career as a law clerk to Chief Judge Diane S. Sykes on the U.S. Court of Appeals for the Seventh Circuit.
After our speakers give their opening remarks, we will turn to you, the audience, for questions, so be thinking of those as we go along and have them in mind for when we get to that portion of the call. With that, thank you for being with us today. Brian, the floor is yours.
Brian Lichter: Thanks very much, Evelyn, and good afternoon, everyone. Thanks for being with us today. So as many of you may know, cyberattacks, including cyberattacks committed by nation-state actors, have been on the rise over the past several years, and at least right now, this trend doesn’t show any signs of abating.
Recently, there have been a couple of attacks that target the information security supply chain, and these attacks have been particularly impactful. We want to discuss those attacks today. Just by way of brief background, in December of 2020, it became public that SolarWinds, a software company, was the victim of an attack whereby a threat actor inserted malicious code into SolarWinds software.
SolarWinds then unknowingly pushed updates to its customers containing this malicious code which the attacker then used to gain access to the systems of certain SolarWinds customers. Victims of this attack included many major companies and U.S. government agencies, and news reports suggest that Russian state actors were behind this attack.
The second attack became public in March of 2021 when it became known that Chinese state actors exploited certain vulnerabilities with Microsoft Exchange servers, which gave attackers access to and, in some cases, control over the systems of private companies and government organizations that used Microsoft Exchange.
Today, we want to discuss how the U.S. government can respond to these attacks and to future attacks. One option that we all probably know of is to initiate criminal prosecutions against bad actors, but that may not always work because the defendants may not be able to be extradited to the United States.
A second option that’s used is to impose sanctions, but people debate the effectiveness of the sanctions-based response. We want to discuss those two options and some additional ideas and additional policy decisions that can be made to respond to these attacks. And so to help us understand this issue better, I’m pleased to welcome two friends of mine who are both distinguished former national security prosecutors and officials from the Obama and Trump Justice Departments.
First, I want to introduce Alex Iftemie. Alex is a partner at Morrison & Foerster where he’s Co-chair of the Global Risk and Crisis Management Practice and is a member of the national security and privacy and data security practices. His practice involves advising clients on sensitive cyber and U.S. national security matters, internal investigations, and government enforcement actions, and he’s counseled many Fortune 500 and high-growth companies on ransomware and nation-state cyberattacks.
Prior to joining Mo-Fo, Alex served as counselor to Attorney General Loretta Lynch, Counsel and Deputy Chief of Staff to the Assistant Attorney General for the National Security Division, and Special Assistant U.S. Attorney in the U.S. Attorney’s Office for the Eastern District of Virginia, where he brought the department’s charges against Russian efforts to interfere in the 2018 midterm elections. Alex graduated from Yale Law School and began his legal career as a law clerk to Judge Motz on the U.S. Court of Appeals for the Fourth Circuit.
Our second panelist is Kellen Dwyer. Kellen is currently an adjunct professor at the Antonin Scalia School of Law at Georgia Mason University, where he teaches classes on cybercrime, electronic surveillance, and data security. Most recently, Kellen served in the Justice Department for seven years, first as an AUSA in the Eastern District of Virginia, and then as Counselor to the Assistant Attorney General for the National Security Division, and finally, as Deputy Assistant Attorney General in the National Security Division.
As an AUSA, Kellen prosecuted some of the department’s most consequential computer hacking cases and is a recipient of the Attorney General’s Award. Most recently, as a Deputy Assistant Attorney General in the National Security Division, Kellen oversaw the division’s legal policy and appellate units and oversaw the department’s policy on supply chain security, among other issues. He also oversaw some of the division’s most sensitive cases and appeals before the Supreme Court, U.S. Courts of Appeals, and the Foreign Intelligence Surveillance Court of Review.
He’s represented the department on the National Security Council, advised the U.S. Cyber Command, and helped coordinate government-wide responses to major cybersecurity incidents. Prior to joining the Justice Department, Kellen was an associate at Kirkland & Ellis, and he began his legal career as a law clerk for Judge O’Scannlain on the Ninth Circuit and Judge Karas on the U.S. District Court for the Southern District of New York. He’s also a graduate of Yale Law School.
So Alex, Kellen, welcome. Alex, first I want to turn it over to you. I’m hoping you can provide the audience just with an overview of the SolarWinds attack and the impact of that attack.
Alex Iftimie: Hey, everyone. It’s good to be with you. And thanks, Brian, for that intro, and good to be talking on this topic with Kellen in particular. I think, Brian, you gave a good intro of the SolarWinds incident at the outset, and I expect many in this group, are familiar with the details from the news. But just to set the stage for our discussion, as Brian mentioned, it’s believed that Russia was behind the attack, and the U.S. government has attributed the attack to an advanced persistent threat actor, likely Russian in origin. And in the coming days, I expect the government to come out with a more conclusive attribution statement and also a policy response to the activity that’ll include a mix of sanctions and other responses.
What makes this incident unique, from my perspective, is that rather than finding and exploiting an existing vulnerability in a system or using a spearfishing attack to obtain the credentials of a user and penetrating network, the Russian hackers responsible for the SolarWinds compromise hacked into a software developer, SolarWinds network, and introduced a vulnerability into a common IT product that is used by government agencies and thousands of businesses across the world.
The hackers placed the malware into a SolarWinds Orion software update, which was subsequently distributed to more than 17,000 customers. And essentially, the systems of those impacted customers then beaconed back to the attacker’s command and control infrastructure, and the attacker could then pick and choose which victims to exploit further, based on who the Russian hackers were interested in.
So I do think it’s important to note that although there were over 17,000 victims, at which the backdoor was introduced, as a result of the compromised SolarWinds software, the number of victims where the Russian hackers walked through that backdoor and further exploited the environment is believed to be closer to 100 victims. Among those victims are reported to be prominent government agencies like DHS, the state department, DOJ.
In most of those cases, based on those, the public reporting, it seems like the main target of the actors was email communications of those various agencies, including, as has been reported in the press, cabinet level official’s emails being taken. There was no destructive aspect of this attack. This was not a hack-and-dump operation. So far, the activity seems consistent with an intelligence gathering effort, and in that respect, it has been described as traditional espionage. And I’ll also note that this is not the first of its kind by Russian actors.
Famously, in 2017, Russian hackers are believed to have released the destructive NotPetya attack against Ukraine by introducing malware into the update cycle of a widely used Ukrainian tax accounting software, and that was how they were able to deploy that destructive attack back in 2017, and there seems to be some obvious similarities there. I also think there are some things that make this attack unique from other types of traditional espionage, but maybe I’ll hold off on that for now, and we can talk about some of that as we get into the potential responsive actions.
Brian Lichter: Thanks, Alex. That’s a great overview of the attack and its impact. To continue setting the stage, Kellen, I want to turn it over to you so that you can provide a little bit more detail on the Microsoft Exchange attack.
Alex Iftimie: Sure. And thank you for setting this up, and thanks for everyone for tuning in. Microsoft’s Exchange is a service that allows enterprises to run their own email servers, and it’s very widely used, particularly amongst small- to medium-sized businesses, as well as educational institutions, nonprofits, and smaller government entities. And that’s because it’s, frankly, cheaper than outsourcing your email to a cloud service provider.
In January of 2021, Microsoft learned that Microsoft Exchange had four so-called zero-day vulnerabilities that were being actively exploited by state sponsored Chinese hackers in order to gain access to the email servers of clients who used the product. And for those on the call who are not tech nerds, a vulnerability is essentially a design flaw that can be exploited by a hacker to gain unauthorized access to a system, and a zero-day vulnerability is one that is not known to the company that has the vulnerability. The name zero comes from the number of days since the vulnerability has been revealed.
So vulnerabilities are common, and that’s why companies typically send out software updates to patch them. What’s unique about this case is that in late February, it appears that PRC actors learned that Microsoft was preparing to push out a patch to fix the vulnerabilities in Exchange, and they responded by essentially scanning the entire internet for vulnerable Microsoft Exchange servers, and then compromising every single one of those servers before they could be patched.
And it’s really hard to overstate how unprecedented and just how reckless that action was because in order to gain ongoing access to these unpatched servers, the PRC hackers installed what’s called web shells, essentially backdoors into the networks. And web shells are often not protected by strong passwords, which means that the person installing the web shell can’t prevent other malicious actors from using them. So that means that the servers infected with these PRC web shells—and there’s reported to be at least 30,000 of them—are now vulnerable not just to the Chinese state sponsored hackers but to any criminal actor who’s able to exploit that, and this could include ransomware gangs.
And then, importantly, patching the -- Microsoft has put out a patch, but patching the original vulnerability does not solve the problem for the victims who have these web shells on their networks. That would be like fixing the door that a burglar uses to get into your house after the burglar’s already in the house, so more has to be done to evict them. And that’s why we’re seeing -- a number of security analysts are now predicting that we’re going to see a huge uptick in ransomware attacks as a result of the actions from the Chinese hackers in this case.
Brian Lichter: Thanks, Kellen. That’s also a great, great overview of the Microsoft Exchange vulnerability. Can you talk a little bit about, did this target -- were the victims of these attacks government agencies, and private companies, just the private sector? What sorts of government agencies were impacted?
Kellen Dwyer: I think that typically the big government agencies -- and I don’t want to speak -- obviously, I was out of government when this happened, and I don’t want to speak for the government, but my understanding is that the bigger government agencies don’t use Microsoft Exchange because that’s typically a cost-saving measure they use when you want to buy the Microsoft software but still run your own email server. So there are government entities -- my understanding is that it’s more likely to be state locals that would’ve been using this product as well as educational institutions, some large businesses, but probably more likely small- to medium-sized businesses.
Based on the public reporting, the target of the Chinese espionage operation was things like nonprofit thinktanks and educational institutions, but they weren’t the only victims of this kind of follow-on action when they move to this reckless pillage everything model, and just it looks like they essentially just said, “Well, we’ll just compromise every unpatched Microsoft Exchange server we can find, and we’ll figure out later whether any of them have any intelligence value.”
Brian Lichter: Okay. Thanks. Thanks. That’s, I think, helpful to contextualize who the victims of the attack were. So I want to move on, with that overview in mind, to talk a little bit about possible responses. So I want to start first just with one of the most common and obvious responses, which is criminal prosecution. Kellen, you were in AUSA and the EDBA, which is a robust kind of cybercrime group, and you prosecuted some of these cases when you were there. So can you talk a little bit about why the government might want to undertake a criminal prosecution in response to an attack like this and what the advantages to doing that would be?
Kellen Dwyer: Sure. And I think we ought to first talk about attribution because I think that attribution is related to prosecution, but it’s not the only way to do it. We’ve already attributed the SolarWinds attack to Russia, and as Alex pointed out, we’ll probably see more specific attribution coming out. But so far, there hasn’t been an attribution to the Chinese actors for the Microsoft Exchange hack. Microsoft attributed it to China, and I believe Jake Sullivan said that he’s not willing to do so now, but he expects to do an attribution in the future.
In my view, we absolutely should engage in attribution. Part of the reason that nation-states like cyberattacks is that they are deniable. And our adversaries know that even if everyone suspects them of a cyberattack, that maintaining plausible deniability makes it harder for the international community to marshal a quick and coordinated response.
So our adversaries need to know that every time they attack us, we will call them out, and that, if necessary, we have the ability to provide proof. And attribution is especially important as it relates to the Microsoft Exchange hack because the Chinese—and I would say more than the Russians—care about their international reputation, particularly as it relates to cyberspace.
Now, the Chinese want countries to trust them enough to buy Huawei products. They want to overtake us as the number one exporter of technology products, and that requires people trusting you. So being publicly tied to a major cyberattack is bad for business, and it’s especially true here because this was such a reckless and irresponsible attack, and one that the United States government would not use. So our leaders really need to be out front explaining what the PRC did in this case, why it was so irresponsible, and really lining up our allies to join in our condemnations and amplify our messaging.
Now, that being said, there’s a number of ways to do public attribution. It could be done and has been done by statements from the DNI or from the National Security Advisor. But I do think there’s benefits to do it via a public indictment, that indictments tend to carry more credibility because they give specifics, and they project confidence that, if necessary, we could prove each and every one of these facts beyond a reasonable doubt with admissible and credible evidence in a U.S. court.
It’s one thing to say, “Well, the Russians did it” or “The Chinese did it.” It’s something different to say, “It was these particular people within this particular unit of the SVR or the MSS, using these servers on this time, etc.”
Secondly, indictments tell the named defendants that they can never leave Russia or never leave China for fear of arrests and extradition. And that itself is a sanction, and we believe makes it harder for Russia intelligence to recruit programming talent if they know that means that they can never leave the country again.
And then, third, and relatedly, indictments can serve as the basis for fall-on actions from regulators, such as OFAC, where you can impose sanctions on malicious cyber actors, and we’ve done that in the past. And this will cut the defendants off from the international banking system and can even make it harder for them to get a job within their own country because a lot of companies that do business abroad need to be worried about their OFAC compliance as well. So I think Alex is going to talk about some of the drawbacks to public indictments, but those are some of the benefits and reasons why it’s done.
Brian Lichter: Okay. That’s helpful. Alex, why don’t you talk about the disadvantages to a public indictment in a context like this.
Alex Iftimie: Sure. And let me start by saying that I was at DOJ and the National Security Division when the department first started using criminal prosecutions to expose malicious cyber activity. And I think the tool is incredibly valuable to confirm legitimacy, essentially, on the attribution that the government is making and to essentially say that we can prove it beyond a reasonable doubt in a court of law. So to some extent, then, I’m playing devil’s advocate here and echoing some of the things that have been said about the difficulties with criminal prosecution.
One, I think first and foremost is that the charges are of a limited impact because to the extent that these attacks were perpetrated by intelligence units in Russia and China, the perpetrators are unlikely to travel and were unlikely to put handcuffs on the individuals responsible for these attacks, particularly, if at this point, they expect that their activity may ultimately be unearthed and attributed in a way that we’ve done for at least the last six or seven years in prior cases.
Two is a concern that if we start to bring these charges against intelligence officers of foreign countries, that the same can be done against U.S. officials in foreign courts, and that we are therefore putting our own government officials at risk of similar cases in foreign countries.
And I think a third challenge with these cases is that sometimes there are limits on the usable evidence, that in order to bring these kinds of cases, you have to have evidence that can be used in a court of law. And there are protections for some information under CPA to be able to protect classified information, but certainly there are limits on what information can be used to support a criminal case, and there may be limits on the government’s ability to develop that evidence, that it’s sufficiently strong for a public attribution.
Brian Lichter: Alex, Kellen mentioned one advantage of bringing a criminal prosecution is that it may make it easier to also impose sanctions on the individuals who engaged in this activity. So can you talk a little bit about the advantages to a -- what is a sanctions-based response to an attack, like the SolarWinds attack, and what are the advantages to trying to deter future attacks through sanctions?
Alex Iftimie: Sure. Happy to cover that. And I’ll say, too, there are many contexts in which we have brought sanctions but not criminal charges, and I think one advantage to the sanctions option is that you don’t have to have a public charging document that lays out in meticulous detail your basis for concluding that a particular actor is responsible for an attack. And so to the extent that there are limits on the information that can be used, sanctions may be a way to get around that.
From my perspective, I think the advantage of the sanctions approach is that it does serve to cut off particular actors from the global economy because of the way the sanctions tools work. It really does make it very difficult, if not impossible, for individuals to essentially operate in the international banking system if they have been designated under a sanctions program.
And it also allows the government to impose costs that go beyond just the individuals who are responsible for that activity, whereas, in a charging document, you might limit yourself to the individuals that are directly responsible for certain activity or that conspired with others to engage in certain activity.
The sanctions regimes are more flexible in imposing consequences that the U.S. government determines are in the national security and foreign policy interest of the U.S. government, and I think that meaningful sanctions that can get at the decision makers in foreign countries are more likely to deter a large-scale supply chain attacks, like SolarWinds or like the Hafnium attacks, because they are more likely to influence the decision-making calculus of those officials if they believe that the costs outweigh the benefits of these types of large-scale hacking campaigns. And I think it’s important to set a line, and I think sanctions are one of the easiest ways to impose meaningful consequences in a way that doesn’t escalate the low-grade conflict with these international espionage rings.
Brian Lichter: Yeah. Now, Kellen, I’m interested to hear your perspective. Obviously, you mentioned before that there is some utility to sanctions, but do you think -- how effective do you think sanctions really are in responding to attacks like this, particularly these two attacks which had aggravating factors that differentiate them from some prior attacks?
Kellen Dwyer: Well, I think that sanctions and then the threat of more significant sanctions -- Alex, I think, is alluding to sanctions against Russian oligarchs and people who are very influential in the government because if you get their attention, they get the attention of the Kremlin. I think that threat can be very useful in preventing the Russians from crossing cyber red lines.
We saw recently in the DNI report on the 2020 election that the Russians did not attempt to actually hack voting machines or change tabulations. And it’s some speculation on my part, but I think that’s at least some evidence that when we draw a clear and credible red line in cyberspace, that the Russians do pay attention where they’re certainly willing to do cyberattacks where they think that they’re relatively within bounds. But they are concerned, I think, of triggering what is it that’s going to trigger a real strong U.S. response.
So the question is whether SolarWinds has crossed one of those lines, and I think it’s really hard to identify a clear and credible norm that is being violated here. And at risk of sounding like an apologist for the Russians, I think that the SolarWinds attack was actually quite -- they showed a lot of restraint in the way that they operated it. They do appear to have had the ability to destroy or manipulate data but chose not to do so.
And as Alex pointed out at the beginning, it appears that they sent out the compromised software update to 18,000 entities, but that’s part of how the attack works. But then when the update gets to these entities and calls home, so to speak, to say, “Hey, I’ve got a server that is available for compromise,” and the Russians, then, after 99 percent of those entities, used a kill switch to cut off permanently and irrevocably their access to those targets. And the only backdoors that they activated appears to be for approximately 100 entities that are more traditional espionage targets, like large government institutions.
So that’s a catastrophic intelligence failure. It’s certainly a loss from an intelligence perspective, and a lot of things need to be done to remedy it, which I’m sure we’ll talk about later in terms of defensive actions and regulations. But was there some sort of cyber norm that was broken here? It’s kind of hard to articulate what that is. And if we sanction the Russians for a cyber operation that didn’t break a clear norm, then what’s the incentive for them to limit themselves the next time they conduct an operation if they’re just going to get sanctioned one way or another?
Brian Lichter: So you raise a good point there. You talked about cyber norms. You also used the phrase “red line.” So I want to ask both of you a two-part question. First would be, one, what are those cyber norms or red lines? Kellen, you mentioned potential interference in a presidential election, but what are those norms beyond which you think it would be appropriate to take a more muscular and aggressive response? And I guess to both of you, one, do you think those norms have been crossed in either one of these cases, and two, what would a more muscular response look like in this context? Kellen, why don’t I go to you first and then to Alex.
Kellen Dwyer: Sure. So some of the norms that the U.S. government has been trying to strengthen have been things like not using cyber espionage to steal intellectual property for commercial purposes. That’s a very big issue with China in particular. So that’s one. Election interference is another, and that operates on a scale with the covert messaging on one side and then, at the most extreme, actually changing votes and messing with election infrastructure. So I think that we’ve been very clear that it is a red line.
Damage to critical infrastructure is absolutely something that would warrant a muscular U.S. response. And then I would probably add to the list something similar to what the Chinese appeared to have done in the Microsoft Exchange hack, where you’re intentionally, or at least recklessly, causing collateral damage to a massive amount of private entities by making them vulnerable to hacking by criminals, that that’s -- even if something is an espionage operation, if it’s done by means that cause damage to innocents, then that potentially could be something that triggers a response, a sanctions-based response.
In terms of what the real, what the maximum sanction or maximum response to someone breaking one of these red lines, I think it really depends. What’s proportional depends on the incident. But one that’s been talked about by commentators, which has not been used yet, would be to do hack-and-link type operations against the decision makers, to use Alex’s term. So you could conceivably do messaging to an adversary that if you engage in election interference against us, particularly what’s deemed more serious, like a hack-and-leak or certainly changing votes, that we could release compromising information about you. And Putin, in particular, is very sensitive about this kind of corruption and his relations with the oligarchs.
So that would be -- that’s something that’s been talked about as a potential serious sanction. But, again, that would be very escalatory, and we don’t want to legitimize that tactic. So it’s not something we want to use, but it is something that you can have out there in your back pocket to say, “If you go to far, there’s a risk that we’re going to come down really hard on you in a way that hurts.”
Brian Lichter: So, Alex, I want to get your perspective on if you agree with the red lines Kellen has drawn, if you think they are too far or they don’t go far enough. But I’m also interested in your thoughts on a response. General Nakasone, who is the director of the National Security Agency and the commander of the U.S. Cyber Command, has recently spoken about what he calls “defending forward,” which is using an offensive cyber operation to prevent a threat actor -- to take out an adversaries infrastructure that they would use to attack us. And he said, I think, that the U.S. did this to prevent foreign actors from interfering with the 2020 presidential election.
So I’m curious as to your thoughts as to what a defending forward response would look like in response to the SolarWinds attack or the Microsoft Exchange attack. But also what about, as Kellen alluded to, using a cyber attack as retribution, a hack-and-leak operation, or going after the critical infrastructure of the Russians or the Chinese, or going after Huawei’s intellectual property? What are your thoughts on those options as a more aggressive response?
Alex Iftimie: So a lot there. I guess let me start with the norms and where to draw the line on those. I very much agree with Kellen in terms of the list that he outlined: cyber espionage for commercial purposes, election interference, damage to critical infrastructure, recklessly causing collateral damage to the U.S. economy and to our businesses and IT infrastructure. I would say with respect to that last one that it can be, and should be, carved in a way that also includes the SolarWinds attack. From my perspective, I think the SolarWinds activity is distinct from traditional espionage and can be differentiated from it.
Certainly, nations spy on each other, and the United States spies, but I think this activity is quite different. Russia famously put microphones in a beautiful wood carved seal that sat in the U.S. Ambassador’s private residence for a number of years, and they put bugs in U.S. embassy typewriters, and they’ve hacked into the White House email system.
What makes this activity different is that rather than targeting it at the U.S. government or intelligence assets, they introduced a vulnerability into thousands of companies that use the SolarWinds product, and the analogy of the house—I will try not to strain it too far—but I think this is not picking the lock of the White House in order to go steal information for intelligence purposes.
They essentially hacked the manufacturing plants that makes the locks and gave themselves access to every resident that installed that type of lock, and it cost businesses hundreds of millions, if not more, to investigate and recover from this activity, and that should be a red line. Supply chain attacks on IT infrastructure in the United States, I think, are beyond the traditional espionage and are something that can be included in the list of things that we draw a red line with.
So then the question is, what do you do about it? And I think this is the part where the U.S. response is really tricky because the problem with a proportional response, responding in kind and doing the same thing to the Russians or the Chinese, is that the United States is uniquely vulnerable to those types of attacks. And if you respond in kind, that’s the opposite of setting a norm. You are essentially sanctioning that kind of activity and engaging in it yourself, and you don’t throw stones from a glass house. And Michael Sulmeyer said it, I think, at one point “If you’re covered in gasoline, be careful throwing matches.”
And I feel the same way about hacking-and-leak type operations. I think if we normalize that type of low-grade activity between nation-states, we end up coming out on the wrong side of that because the way our economy is built just makes us so much more vulnerable to those types of attacks.
One alternative to hack-and-leak type operations that I think is valuable is -- one of the things Cyber Command has been doing is exposing the tools of our adversaries. So it sounds like one of the responsive actions to SolarWinds, in fact, will include that to be able to have DHS and the intelligence community essentially publicize the tools that the Russian actors were using, and that has the benefit of degrading their ability to continue to conduct those types of attacks. Now, the question is, will they expose anything meaningful that we don’t already know from what SolarWinds, and Microsoft, and FireEye have already shared?
The last point I’ll make is I do think defending forward works, and it has to be part of the strategy. My sense is that if what we are doing is responding to an imminent threat against the United States, where there is credible intelligence to say the following infrastructure is going to be used to commit attacks against the U.S. government or against U.S. businesses, that disrupting that infrastructure is a legitimate response.
Where I think it’s a little more problematic is conducting destructive attacks or retributive attacks as a response where there isn’t an imminent threat, where we’re not defending ourselves. Part of defending forward is -- the first word is a defense, and I think retribution goes beyond that. So I think we need to be careful about just responding to cause damage where there isn’t some sense of protecting ourselves against an imminent threat.
Brian Lichter: Thanks, Alex, that’s very interesting to hear your thoughts. One thing you mentioned is the impact of the SolarWinds attack on the supply chain and how a supply chain attack might cross that red line. Kellen, I want to go briefly to you to talk a little bit about, from a supply chain standpoint, what can the government do or what can the private sector do, either way, to protect American companies from these sorts of supply chain attacks?
Kellen Dwyer: Sure. I think that we are probably going to see regulations relating to raising procurement standards so that if you are a federal contractor, you’re going to have to prove that your security is up to snuff. And unfortunately, cybersecurity is just one of these classic tragedy of the commons situations where companies do not fully internalize the harms to society for cyber breaches, so because of that that they don’t fully invest in security as much as they should. And based on the public reporting, it appears that SolarWinds was an especially egregious example of this, that it reportedly was purchased by private equity firms that cost a number of ways, including on cybersecurity.
So I think we’re certainly see the Biden administration use EOs to raise federal procurement standards if you’re selling IT products to the U.S. government. I think that actually could be extended to incentivize all U.S. companies to meet certain kind of supply chain best practices through what’s called the Supply Chain EO that the Trump administration did in 2018, and reportedly, the Biden Commerce Department is in the process of finalizing the implementation rules there.
What that EO says is it essentially sets a CFIUS-like process to review supply chain transactions and domestic companies that are buying IT products from abroad and allows the Commerce Department to veto them based on national security concerns. Something that the Commerce Department could do and should do is you could create some sort of presumption of approval or safe harbor for companies that meet certain supply chain security best practices, that if you have these in place, then we’re more likely to approve your foreign-based IT transactions.
Brian Lichter: Okay. That’s interesting, and it’s interesting to think about. We could talk for a long time about what sort of regulatory responses the government could either mandate or incentives they could provide to encourage companies to improve supply chain security from a cybersecurity standpoint.
But before we get to questions, I want to pivot to one related topic which has to do with domestic infrastructure and the use of domestic infrastructure to carry out cyber-attacks. If you read the news, there’s been talk recently about how the U.S. intelligence community can’t monitor domestic internet activity. Federal law enforcement can, but they can only do so through valid legal process, whether that’s a search warrant, a subpoena, a pen register, etc.
So a lot of the news commentary recently is focused on domestic terrorism, domestic extremism. A lot of these conversations have stemmed from the January 6 event at the Capitol. But what’s interesting with respect to these two attacks is that the Russians used U.S. domestic infrastructure to launch the SolarWinds attack, and the Chinese used U.S. servers to exploit these Microsoft Exchange zero-day vulnerabilities.
So setting aside the issue of what Americans are doing on the American internet infrastructure, like we can have a situation where a foreign adversary is using our domestic infrastructure to launch attacks against Americans, and as of right now, the intelligence community doesn’t have a lot of tools to monitor that activity. So, Alex, what are your thoughts on this problem? Do you think there are good ways to address this gap, and what can be done?
Alex Iftimie: So I guess I would take issue to whether there’s actually a gap that needs to be filled. I’ll say that as someone who was at DOJ, when we were dealing with the aftermath of the Snowden leaks and the ensuing intelligence reforms, it’s amusing to see the pendulum swing and to now be talking about the need for increased domestic surveillance authorities.
I’m not sure that we need that, and just my sense of why the Russians were using domestic infrastructure is because it allowed them to blend in with the activity of U.S. companies’ regular employees. It’s much harder to discern the activity of the threat actor if it looks like and quacks like the activity of your employees, and they’re using IP addresses that are close in terms of geolocation to the ones that legitimate users would be using.
I think the criminal investigative tools that the Department of Justice and the FBI have to work with domestic internet service providers to get log information, and subscriber information, copies of servers, and things that they would need to conduct an investigation, are robust. And, in general, I would say I would much prefer a threat actor to be using U.S. infrastructure than foreign infrastructure in terms of our ability to attribute that activity and to run down exactly who was responsible.
I’ve seen some other ideas suggesting that there could be a dual-hatted DHS official that sits at the National Security Agency as a deputy and could rely on certain limited resources or could pair up domestic law enforcement intelligence with the intelligence community intelligence. I would look for something more along those lines than trying to expand the authorities of the intelligence community to get information from our domestic internet service providers.
Brian Lichter: Kellen, do you agree with Alex’s view on this, or would you propose a different policy solution?
Kellen Dwyer: Not entirely. I do agree with him that part of the reason our adversaries used leased U.S. infrastructure – I’m just going to take a step back for the listeners. We’re talking about companies that, as a business, lease server spaces. And we know based on the public reporting that both the Chinese and Russians leased infrastructure in the United States and used that as a staging ground to commit both of these attacks.
So I agree with Alex that one of the reasons they do this is to blend in. It’s less suspicious if an IP address is coming from Indiana than if it’s coming from Moscow, of course. But there’s also a number of statements, including from General Nakasone, that part of the reason our adversaries do this is because they know that the NSA is not able to collect and monitor internet traffic in the United States, so that’s deemed to be the safer way to do it. The FBI, of course, can, but it’s a slower and more cumbersome process, and they move very quickly. So that’s a problem.
I think that the press misreported the statements from Nakasone and others as implying that NSA is asking for authority in the United States. I don’t think anyone is seriously proposing that for the reasons that Alex mentioned. But I do think that there is if not a solution, at least a mitigation to this problem, and it’s something that the Trump administration did on the President Trump’s very last day in office, and it’s an executive order which would impose know your customer requirements on cloud service providers, companies that lease infrastructure.
Essentially, just like if you’re a bank, you have to have a responsible compliance program to make sure that your customers are who they say the are. If you’re in the business of leasing computer infrastructure in the United States, you should also have minimum know your customer requirements to make sure that your customers are not foreign intelligence agents.
So that was put out on January 19.
My understanding is that the Biden administration intends to move forward with implementing it, so it’s on Commerce initially to draw the implementing regulations. But I think that would be a serious step forward because the FBI can’t collect information that companies don’t collect in the first place, so requiring companies to collect that minimal information.
And if it has a benefit of driving our adversaries abroad, where there can be easier collection, I think that is a benefit from an intelligence perspective, even if it’s going to make subsequent law enforcement cases more difficult. But despite being a prosecutor, as much as I love to prosecute cases, of course, it’s better for us to thwart them in the first place. And I think this would go at least some of the way towards doing that.
Brian Lichter: Well, thanks to both of you. I think this has been a really interesting discussion and great to hear your well-informed thoughts on what is a complex and evolving issue. So with that, I’d like to turn it over to the audience. We have about 10 minutes left to see if anyone has questions for Alex or Kellen.
Evelyn Hildebrand: Absolutely. And while we’re waiting for audience members to joining the queue, I’ll hand the floor back over to Brian.
Brian Lichter: Okay. And thanks Evelyn. Thank you, everyone, for being here. Just again, I really appreciate your time and hope that you’ve enjoyed the discussion. So with that, we’ll await any questions. And, of course, thank you to Alex and Kellen for joining.
Evelyn Hildebrand: Perfect. We’ll now move to our first caller.
Roger Candelaria: Hi, this is Roger Candelaria. I’m in Maryland right now, and thank you all for the excellent presentation. My question is about prosecuting or not prosecuting the decisions around prosecuting U.S. government officials that don’t follow the protocols. And we heard so much during the elections, about four years ago, about particularly Hillary Clinton and some of her advisors and what they did to leave open, as I understand it, gaps that could be penetrated or infiltrated by people hostile to the U.S. Thank you.
Brian Lichter: Alex, Kellen, I’m not sure if either of you have a perspective on that.
Alex Iftimie: Go ahead, Kellen. Go ahead.
Kellen Dwyer: Oh, no, please, you can go ahead.
Alex Iftimie: Roger, maybe, you can clarify just the -- and thanks for the question. I wasn’t quite sure that I understood the nexus of the foreign prosecutions of U.S. officials. I think the balancing act between criminal prosecutions in the U.S., or one of the stated concerns of criminal prosecutions in the U.S., is that it opens our officials up to the similar accusations abroad, so when we have members of the State Department intelligence community, whoever it may be, out in foreign posts, that their activities that they may be conducting are not the subject of criminal prosecutions in foreign jurisdictions.
Obviously, there’s a strong interest in protecting our own and in making sure that we’re not setting up a precedent that makes it harder for them to do their jobs or exposes them to arrest or liability in those foreign jurisdictions. And there have been any number of cases like that that have come up over the last few years, including of high-profile officials from multiple administrations.
Kellen Dwyer: Yeah. Honestly, I think I understand the nexus to the extent that certainly SolarWinds reminds us of the importance of following the rules and making sure that classified information doesn’t end up on unclassified systems. And based on the reporting, it was only unclassified systems that were breached. But, of course, if government employees aren’t following the rules and are putting information on classified systems, that’s a major problem.
Prosecution is extreme remedy. It would be reserved for something that was done intentionally and egregiously. But it certainly is a reminder that everyone in government needs to follow the rules, as cumbersome as they are.
Roger Candelaria: Thank you.
Evelyn Hildebrand: Thank you.
J.B. Tarter: Good afternoon. This is J.B. Tarter. My question’s only for myself, not my current agency. So the question I have is this talking all about federal prosecution. It seems that to the extent these are hacks of private companies, some state laws could be at play and affected. So far, have we seen any interest in states or local prosecutors going after some of these entities, or because of resources, has it just defaulted to the feds?
Brian Lichter: Thanks, J.B., for the question. Alex, why don’t I throw this one to you first?
Alex Iftimie: Yeah. I’m not aware of any significant or credible state prosecutions. I think there are certainly laws at the state level that could be used to be grounds for an investigation or charges, but I think these cases are really difficult to pull together in terms of the evidence that you need to pull. And so far, we’ve really seen those just at the federal level.
I think there would also be comity issues at play. I think the federal government and whoever is in the administration in the White House may have concerns about states getting out ahead of the national security informed policy calculus of the federal government in deciding who to charge, and for what reason, and how that interfaces with all the other concerns we’ve talked about. So I would suspect that those types of charges would not be well received by the federal government if the states, an overeager attorney general or someone like that, went out to try to prove those kinds of cases.
Kellen Dwyer: And I think not well received is a probably an understatement, but I do think it too. And J.B., it’s good hear a familiar voice. But I do think that we have seen, and will continue to see, state AGs being active in the space. But normally, they’re more into investigating the companies who are breached to see whether they broke any security or data privacy laws in terms of whether they had adequate security to protect their customers’ data. So I think that we will see state AGs being involved, probably, as a result of these breaches, but they’re probably more likely to be looking at the U.S.-based companies.
Brian Lichter: Great. Thank you.
Alex Iftimie: That’s a great point, Kellen, on the cybersecurity practices of the victims.
Evelyn Hildebrand: Great. Thank you for the answer and the question. In the absence of anyone else who would like to ask a question, since we are closing out the hour, if you have a final comment or a final question for me, Brian, and then we can close out.
Brian Lichter: No, that’s all. Thanks, everyone, for the questions. Thanks to Alex and Kellen for their time and for being with us today, and to you, Evelyn, and to The Federalist Society for helping to host this discussion.
Evelyn Hildebrand: Wonderful. And on behalf of The Federalist Society, I want to thank our experts for the benefit of their valuable time and expertise today. And I want to thank our audience for calling in and participating. We welcome listener feedback by email at firstname.lastname@example.org. As always, keep an eye on our website and your emails for announcements about upcoming teleforum calls and virtual events. Thank you all for joining us today. We are adjourned.
Dean Reuter: Thank you for listening to this episode of Teleforum, a podcast of The Federalist Society’s practice groups. For more information about The Federalist Society, the practice groups, and to become a Federalist Society member, please visit our website at fedsoc.org.