The U.S. Treasury and Commerce departments, along with untold numbers of government and corporate computer networks, have been breached in what may be an espionage attempt by the Russian government. (The Russians are, of course, denying responsibility.)
The avenue was reportedly a malicious software update pushed through SolarWinds Inc., an Austin-based network management company that counts both the federal government and hundreds of major U.S. companies among its clients. Essentially, the hackers slipped some malicious code into a software update; if you were on the infected networks that installed the update, this gave the hackers backdoor access to your data.
The infiltration apparently began in the spring but was not announced until this past weekend. SolarWinds reports that as many as 18,000 customers may have downloaded the infected update.
The Wall Street Journal reports that this infiltration may be above and beyond the usual cyberespionage:
While those familiar with the hack couldn't precisely specify its scope or the resulting damage to the U.S. government, several described it as among the most potentially worrisome cyberattacks in years, because it may have allowed Russia to access sensitive information from government agencies, defense contractors and other industries. One person familiar with the matter said the campaign was a "10" on a scale of one to 10, in terms of its likely severity and national-security implications.
Last week FireEye, a California-based cybersecurity firm, also reported a sophisticated hack that compromised its tools, which it attributed to a foreign government.
It's worthwhile to consider these developments in the light of law enforcement's efforts to weaken encryption protections. When officials insist that individuals should not have access to strong encryption unless the government can bypass those protections and access our data, they don't acknowledge that police won't be the only ones exploiting those back doors. Others with malicious intent, be they criminals or foreign governments (or both), will figure out how to get through too. It has happened before to our own very own government, as another country, possibly China, figured out how to access a cybersecurity bypass that had been installed for the National Security Agency.
In this latest incident, the extent of which we still don't know, the hackers had to create their own back door. So even cybersecurity that hasn't been undermined by statute isn't going to be perfect protection. But weaker security certainly isn't the answer. These back doors are bad. Whenever any senator or FBI director or police chief demands the power to bypass encryption, he or she should be reminded of this potentially dangerous breach.
Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.